### Authenticated Remote Code Execution in Teradek video decoders
Slice 356 is a 1U rack mount H.264 decoder built for OB vans and enterprise
applications. It enables video professionals to output low latency high
definition 1080p video at up to 10Mbps via HD-SDI. Slice 356 includes 2.4/5Ghz
MIMO WiFi, ethernet, and cellular connectivity options and supports multiple
transport protocols, including MPEG Transport Stream, and RTP/RTSP. With the
addition of Teradek's Sputnik server, Slice 356 rack mount encoders gain IFB
and remote monitoring capabilities that give broadcasters full control over
their IP video deployments.
After looking at shodan for some of this devices I've found that there are
around 450 devices

I picked randomly one and accessed to it, the device replies with a nice login
screen
I've tested with the default credentials **admin:admin** and I was redirected
to the dashboard view of the
device
Doing some fuzzing and found nothing, I decided to download the firmware of
the device from the vendor's page at
<https://teradek.com/pages/downloads#slice> After downloading it, I've
extracted the contents of the bin file with **binwalk**
****
Doing some fail/error reversing at the binaries and libraries from the
firmware, I've noticed that in the upgrade.cgi file located at the
home/www/cgi-bin folder there is a file upload
functionality
Whit this on mind I decided to test the feature with BurpSuite, so I've tried
to upload a random file but the only thing I get is the
following
I analyzed the HTTP Request against the reversed code obtained before and I've
noticed that there was another value for the parameter **"type"** , and it was
**http**
********************
I tried with this new value and I **** realized that the filename was
reflected at the end of the command, so I've looked at the reversed code and
there was the issue, the filename was appended to the end of the command and
then passed to the td_syscall
function
****
****
So in the filename I putted a semicolon and the command **more /etc/shadow** ,
and effectively I was able to see the /etc/shadow file of the device


The vulnerable versions of the firmware are:
- 7.3.5r26663
- 7.3.7r27138
- 7.3.12r28155
- 8.2.7r34817
And also the Cube 695 device was tested:


@xpl0ited1
暂无评论