CVE-2017-12929
published 2017-09-21CVE-2017-12929: Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to…
PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.08%
95.1th percentile
Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /resource.php for file uploads containing PHP content — successful exploitation results in a PHP webshell dropped under /resource/source/ ↗
- →Detect GET requests to /resource/source/*.php with a query parameter (e.g., ?c=) as an indicator of webshell command execution ↗
- →Process execution as www-data spawned from a web server process is a post-exploitation indicator for this vulnerability ↗
- →Google dork 'DlxSpot - Player4' can be used to identify exposed vulnerable instances on the internet ↗
- ·Exploitation requires prior authentication; however, a linked SQL injection vulnerability (CVE-2017-12930) allows authentication bypass via the admin login, enabling unauthenticated chaining to this file upload RCE ↗
- ·A hardcoded SSH backdoor account (CVE-2017-12928) exists on all known versions, providing an alternative initial access path that can be chained with this vulnerability for full root compromise ↗
- ·The arbitrary file upload vulnerability affects DLX Spot Player4 versions greater than 1.5.10 running on Linux ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tecnovision DLX Spot - Authentication Bypass
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-12930 [CRITICAL] Tecnovision DLX Spot - Authentication Bypass
Tecnovision DLX Spot - Authentication Bypass
---
# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
Injection
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12930
# Linked CVE's: CVE-2017-12928, CVE-2017-12929
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to full root access.
#################
Exploit-DB
Tecnovision DLX Spot - Arbitrary File Upload
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-12929 [CRITICAL] Tecnovision DLX Spot - Arbitrary File Upload
Tecnovision DLX Spot - Arbitrary File Upload
---
# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
to RCE
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12929
# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to root access.
######################
Exploit-DB
Tecnovision DLX Spot - SSH Backdoor Access
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-12930 [CRITICAL] Tecnovision DLX Spot - SSH Backdoor Access
Tecnovision DLX Spot - SSH Backdoor Access
---
# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.
# CVE: CVE-2017-12928
# Linked CVE's: CVE-2017-12929, CVE-2017-12930
# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.
##############
No writeups or analysis indexed.
2017-09-21
Published