Risky Zero-Day Lets Remote ‘Root’ Hacking of In AT&T DirecTV WVB Devices

Zero-Day Initiative researchers disclose an unfixed serious vulnerability influencing a wireless video bridge employed by DirecTV permits for a cyberpunk to distantly implement code on the susceptible devices.

Image Source

The security susc15e|fy&86lng7eptibility was revealed in the Linksys WVBR0-25 wireless video bridge, which was planned to couple with the Wireless Genie Mini (C41W) cable box to make sure communication with DirecTV’s main Genie DVR. Trend Micro DVLabs researcher, Ricky Lawshae, revealed the vulnerability tracked as CVE-2017-17411 and featuring a CVSS score of 10. Lawshae further says that verification is not essential when endeavoring to exploit the susceptibility for implementing the arbitrary code.

“The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges,” a ZDI advisory reads.

Lawshae also exposed while endeavoring to glance to the web server on the device, instead of a login prompt or an index-page, the amenity would carry “the output of several diagnostic scripts containing just about everything you could want to know about the bridge, including the WPS pin, connected clients, running processes, and much more.”

Not just this is an evidence revelation issue, but the log file similarly exposed the commands being implemented and the output of each command. Furthermore, it displayed that the user’s IP address and user-agent were utilized in a system command as a method of access logging or tracing practically.

However, the device isn’t appropriately disinfecting the user-agent it is specified and the researcher was capable to alter the user-agent and send unreliable data to the system for implementation. What Lawshae exposed was that the system performed the command as root, lacking a login rapid or contribution refining before transferring the appreciation to the task accountable for its implementation. Since the Lighttpd method carries on with source privileges, implemented instructions carry on with core rights as well, even if they originate from the unreliable input.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability,” Lawshae says.

The researcher revealed that it was carrying on a Lighttpd web server after executing a more profound exploration of the device. It was arranged to extract a SysInfo.asp file when glancing at the core of the website, and this file was the page showing all the analytic output.

“It also showed dispatcher.cgi was actually a symbolic link to apply.cgi, which itself is a compiled ARC executable file used as kind of a “do everything” agent for the web server. It was in apply.cgi that I found the actual root cause,” Lawshae, who also published a video detailing the vulnerability, explains.

The ZDI endeavored to work with Linksys to talk about the susceptibility, but to no benefit. The company has not even approved it yet even though it was well-known on the bug in June, which resolute ZDI to announce the 0-day report. SecurityWeek communicated Linksys for a statement on the problem but has not got any answer yet. We’ll inform the article as soon as we get something back from them.

“In the absence of an actual patch from the vendor, users should protect themselves by limiting the devices that can interact with the WVBR0-25 to those that actually need to reach it,” Lawshae concludes.

Leave a Reply

Your email address will not be published. Required fields are marked *