Critical Vulnerabilities Lead to Account Takeover in Major IPTV Streamer
Critical vulnerabilities have been found in the Ukrainian IPTV video streaming platform Ministra, which uses Infomir-manufactured set top boxes (STBs) to transmit streaming content from the platform to end users’ televisions. Infomir sells its products throughout the world, so impacted users are not confined to the Ukraine.
Check Point Research discovered the flaws over a year ago. Although the researchers reported the issues to the manufacturer, who patched the flaws, there is a likelihood that not all resellers have patched their individual service and remain at risk. Check Point has not been able to determine the numbers involved because, it reports, “we don’t know how many customers each of these resellers has, though from our initial scans there are over 1000 resellers around the world, so the number of those exposed could be very high.” There are, for example, 199 resellers in the U.S., 137 in the Netherlands and 117 in France alone.
Ministra is the Infomir platform that controls the STBs. It is PHP based, and requires that the distributors authenticate before gaining access to their control panel. Check Point noticed that some of the panel controllers included functions intended for Ajax use. The code said, if this is Ajax, and contains no authentication, refuse access. By not sending the relevant header that would indicate the presence of Ajax, the entire authentication check was simply by-passed. “As a result,” say the researchers, “we managed to elicit some unintended behavior.”
The researchers extended their investigation to other functions and found other weaknesses. They found they could control ‘order’, ‘like’ and ‘select’ keys inside the code of one function. Such keys are not usually fully sanitized because they are not directly supplied by the user; and it soon became apparent that certain functions were vulnerable to SQL Injection; which in turn could enable a PHP Object Injection (POI). “As we control keys in the query, we can perform either blind or reflected SQL injection,” write the researchers. In fact, since the function concerned is called from multiple locations in the code, the vulnerability could be triggered from other locations.
Looking further, they found a function vulnerable to the authentication bypass that also called the function vulnerable to the SQLi that could lead to the object injection. They had already got control of the ‘$this->…’ buffer; and discovered “we can control all the properties of this class: we can set `$this->_writer` to be false, and `$this->_path` to be any arbitrary path we want.”
In short, they could control the path and content of the file — they could write arbitrary files and get remote execution on the server. “Fun fact,” they add: “All the classes we used are related to SwiftMailer, so effectively, we found a generic file write gadget. You can now generate this gadget with PHPGGC (SwiftMailer/FW4).”
From a simple authentication by-pass, attackers could escalate through SQLi to an Object Injection. They would be able to execute arbitrary code on the server, impacting both the Ministra/Infomir reseller, and all the reseller’s customers. “The risks would be their entire customer database of personal info and financial details as well as allowing an attacker to potentially stream any content they choose on to the screens of their customer network,” warns Check Point.