CVE-2017-12928
published 2017-09-21CVE-2017-12928: A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.95%
85.4th percentile
A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH login attempts using the hardcoded credential 'dlxuser' with password 'tecn0visi0n'; successful logins to this account on any device should be treated as compromise indicators. ↗
- →Monitor for privilege escalation from 'dlxuser' to root immediately after SSH login, as the same password 'tecn0visi0n' is used for both. ↗
- →Alert on HTTP POST requests to '/resource.php' on DlxSpot Player4 hosts, which is the file upload endpoint abused for arbitrary PHP shell upload leading to RCE. ↗
- →Detect HTTP GET requests to '/resource/source/*.php' with query parameters (e.g., '?c='), indicating execution of an uploaded web shell. ↗
- →Hunt for the SQL injection bypass string "x' or 'x'='x" in HTTP login request bodies targeting the DlxSpot admin interface. ↗
- →Use the Google dork '"DlxSpot - Player4"' to identify internet-exposed instances of the vulnerable product for asset discovery. ↗
- ·The hardcoded SSH credential affects ALL known versions of TecnoVISION DLX Spot Player4, not just a specific release; there is no patched version referenced in the sources. ↗
- ·The SQL injection and arbitrary file upload vulnerabilities affect versions above 1.5.10 only, while the hardcoded SSH backdoor (CVE-2017-12928) affects all known versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tecnovision DLX Spot - Authentication Bypass
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-12930 [CRITICAL] Tecnovision DLX Spot - Authentication Bypass
Tecnovision DLX Spot - Authentication Bypass
---
# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
Injection
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12930
# Linked CVE's: CVE-2017-12928, CVE-2017-12929
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to full root access.
#################
Exploit-DB
Tecnovision DLX Spot - Arbitrary File Upload
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-12929 [CRITICAL] Tecnovision DLX Spot - Arbitrary File Upload
Tecnovision DLX Spot - Arbitrary File Upload
---
# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
to RCE
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12929
# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to root access.
######################
Exploit-DB
Tecnovision DLX Spot - SSH Backdoor Access
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-12930 [CRITICAL] Tecnovision DLX Spot - SSH Backdoor Access
Tecnovision DLX Spot - SSH Backdoor Access
---
# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.
# CVE: CVE-2017-12928
# Linked CVE's: CVE-2017-12929, CVE-2017-12930
# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.
##############
No writeups or analysis indexed.
2017-09-21
Published