Thursday, January 30, 2020

[TERADEK] Authenticated Remote Code Execution in Teradek video decoders




Slice 356 is a 1U rack mount H.264 decoder built for OB vans and enterprise applications. It enables video professionals to output low latency high definition 1080p video at up to 10Mbps via HD-SDI. Slice 356 includes 2.4/5Ghz MIMO WiFi, ethernet, and cellular connectivity options and supports multiple transport protocols, including MPEG Transport Stream, and RTP/RTSP. With the addition of Teradek's Sputnik server, Slice 356 rack mount encoders gain IFB and remote monitoring capabilities that give broadcasters full control over their IP video deployments.

 
 After looking at shodan for some of this devices I've found that there are around 450 devices
 
 
 
 


I picked randomly one and accessed to it, the device replies with a nice login screen
 
 
I've tested with the default credentials admin:admin and I was redirected to the dashboard view of the device
 
 
Doing some fuzzing and found nothing, I decided to download the firmware of the device from the vendor's page at https://teradek.com/pages/downloads#slice
 
After downloading it, I've extracted the contents of the bin file with binwalk
   
Doing some fail/error reversing at the binaries and libraries from the firmware, I've noticed that in the upgrade.cgi file located at the home/www/cgi-bin folder there is a file upload functionality
 
 
 Whit this on mind I decided to test the feature with BurpSuite, so I've tried to upload a random file but the only thing I get is the following
 
 I analyzed the HTTP Request against the reversed code obtained before and I've noticed that there was another value for the parameter "type", and it was http
 
 
 
I tried with this new value and I realized that the filename was reflected at the end of the command, so I've looked at the reversed code and there was the issue, the filename was appended to the end of the command and then passed to the td_syscall function


 
 
So in the filename I putted a semicolon and the command more /etc/shadow, and effectively I was able to see the /etc/shadow file of the device
 
 
 
 
 
 The vulnerable versions of the firmware are:

  • 7.3.5r26663
  • 7.3.7r27138
  • 7.3.12r28155
  • 8.2.7r34817


 
And also the Cube 695 device was tested:
 
   
 
@xpl0ited1
 
 

 
biz.