enigma2-plugin-extensions-webadmin Remote Code Execution Severity: CRITICAL/TRIVIAL Discovered by: Fabian Fingerle (@otih__) https://fabian-fingerle.de enigma2-plugin-extensions-webadmin: The enigma2-plugin-extensions-webadmin Plugin is a web frontend for the OPKG or APT package manager. With the webadmin it's possible to install or remove packages, and many other functions over the webinterface of the Dreambox. Therefore Enigma2 is the new operating system of the Dreamboxes, which is in continuosly development. Desc: An independent research uncovered a critical vulnerability in badly configured webadmin plugin of many thousand enigma2 boxes in the wild. This misconfiguration could be used by unauthenticated remote attackers to achieve remote arbitrary code execution in the context of root superuser. To exploit the vulnerability an attacker could target common ISP networks for dial-in users. Patching: Enable authentication for enigma2-plugin-extensions-webadmin Do not share any private services on the public internet without VPN etc. Notes: This notice is not new to the enigma2 community but need to be addressed. No official vendor is responsible for enforcing authentication, encryption and securing enigma2 boxes. I want people to immediately reconfigure or at least be aware of the issue before these devices will be part of the next big IoT botnet. Exploit: $ pypy exploit.py 1.2.3.256 "id;uptime" [+] Randfilename is .pkWnzmOrFsIc.sh [+] Submitted random file to remote host [+] Exploit seems to work: * * * uid=0(root) gid=0(root) 22:36:21 up 7 days, 7:39, 0 users, load average: 0.00, 0.01, 0.05 * * * [+] cleanup randfile For updates follow: https://twitter.com/otih__ I'll send another email to the list once the trivial "exploit" is published. -- Regards, Fabian Fingerle - aka otih https://fabian-fingerle.de t: @otih__