Title: DreamBox DM500(+) Arbitrary File Download Vulnerability
Advisory ID: ZSL-2011-5013
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 13.05.2011

Summary

The Dreambox is a series of Linux-powered DVB satellite, terrestrial and cable digital television receivers (set-top box).

Description

Dreambox suffers from a file download vulnerability thru directory traversal with appending the '/' character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.

Vendor

Dream Multimedia GmbH - http://www.dream-multimedia-tv.de

Affected Version

DM500, DM500+, DM500HD and DM500S

Tested On

Linux Kernel 2.6.9, The Gemini Project, Enigma

Vendor Status

N/A

PoC

dreambox_fd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://packetstormsecurity.org/files/101385
[2] http://www.exploit-db.com/exploits/17279/
[3] http://www.securityfocus.com/bid/47844
[4] http://securityreason.com/exploitalert/10427
[5] http://xforce.iss.net/xforce/xfdb/67456
[6] http://www.vfocus.net/art/20110517/9000.html
[7] http://secunia.com/advisories/31650/

Changelog

[13.05.2011] - Initial release
[16.05.2011] - Added reference [4] and [5]
[17.05.2011] - Added reference [6]
[27.06.2011] - Added reference [7]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk