Checkpoint researchers have identified critical vulnerabilities in a set-top box (STB) TV streaming device that would allow a hacker to gain remote control of users’ screens.
The set-top box device enables a connection between a television service provider and the user’s TV, allowing them to stream content. The set-top boxes are connected and controlled by a web management platform called Ministra.
Checkpoint were able to use an authentication bypass to escalate an attack against the platform that gave them access to customers’ financial information, personal information and their set-top box database.
The first vulnerability in the system was found in Ministra’s web management platform for the STB devices, which is PHP based.
The online platform has an admin interface which asks for authentication, however they managed to bypass this mechanism and were given access to the AJXA API functions. This allowed them to initiate a SQL injection through which they were able to access the ‘prepareDataTableParams’ which lead to the ability to execute code on the server.
TV Streaming Device Vulnerability
Checkpoint researcher Ronen Shustin wrote in his report that: “After some tests, it was clear that the keys passed to the order-by, select and like functions were vulnerable to SQL Injection. As we control keys in the query, we can perform either blind or reflected SQL injection.”
“The root cause of this vulnerability is that the `prepareDataTableParams` function which allows user-controlled data to influence keys which are not sanitized properly later.”
Once the vulnerabilities stacked they were eventually able to get to the Object Injector which let them execute arbitrary code on to the server, which if done maliciously could affect not just the service provider, but would give access to customers’ TVs through the set-top box.
The set-boxes in question were manufactured by Infomir a Ukrainian maker of Internet Protocol Television, Over-the-Top and Video-on Demand devices.
Each device connects to a platform called Ministra which facilitates the internet connection and manages users. Checkpoint estimate that there are over a 1000 TV streaming service providers who use the Ministra platform worldwide, with users globally.
Checkpoint informed Infomir over a year ago about vulnerability and they have subsequently rolled out a patch, Checkpoint has not ruled out the possibly that resellers of the devices have not patched their service.