DlxSpot SQL Injection

2017.09.21
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL Injection # Google Dork: "DlxSpot - Player4" # Date: 2017-05-14 # Discoverer: Simon Brannstrom # Authors Website: https://unknownpwn.github.io/ # Vendor Homepage: http://www.tecnovision.com/ # Software Link: n/a # Version: >1.5.10 # Tested on: Linux # About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc. # CVE: CVE-2017-12930 # Linked CVE's: CVE-2017-12928, CVE-2017-12929 # Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to full root access. ############################################################################################################################### DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection vulnerability in the admin interface login and is exploitable the following way: username:admin password:x' or 'x'='x TIMELINE: 2017-05-14 - Discovery of vulnerabilities. 2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage. 2017-06-01 - No response, tried contacting again through several contact forms on homepage. 2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment. 2017-08-17 - Three CVE's assigned for the vulnerabilities found. 2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company. 2017-09-18 - No response, full public disclosure.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top