Check those permissions
A security vulnerability has been found in an online television streaming service that could allow an attacker to gain full administrative control of the host operating system.
The flaw, allocated as CVE-2020-9380, is found in the ‘WebTV Player’ line of smart television solutions produced by software company IPTV Smarters.
WebTV Player requires an internet connection in order to stream live TV and video on demand (VOD) media. This allows users to watch content from their browsers, according to Anderson Pablo, one of the researchers who discovered the flaw.
Pablo and his team found that the product included an arbitrary file upload function that meant any user could upload a file to the server without requiring authentication.
Each version of the product includes a /ajax-control.php command, Pablo said, which allows this unauthorized privilege escalation to occur and an attacker to potentially gain a persistent hold on the network.
“The server can be compromised by uploading a web shell that allows command execution, such as directory listing, download of files and more,” Pablo said in a Medium post published yesterday (March 9).
However, a malicious actor would need access to the local WiFi network in order to execute commands to the web TV server.
This could be counteracted if a user exposed the WebTV Player app to the public facing internet.
A proof of concept has also been published on GitHub.
To avoid compromise, users should “check file extensions and mime type upon upload”, Pablo said. Ensuring the right permissions are given to the upload directory is an additional line of defense.
The Daily Swig contacted Pablo on Twitter to learn if the vulnerability was reported to the vendor, IPTV Smarters, through any responsible disclosure process.
Pablo said that the vulnerability was not reported to IPTV Smarters since the vendor did not “provide any support or updates”.
Pablo added on Medium: “We believe that the demonstration of vulnerability and responsible communication makes the internet safer for everyone.
“Obviously we cannot be held responsible for acts of third parties.”
YOU MIGHT ALSO LIKE High severity regex bugs discovered in Parse Server
