Popular TV Streaming Platform Ministra Vulnerable to Hijacking
A number of critical remote code-execution vulnerabilities in a streaming TV platform could expose entire databases of subscribers' personal info and financial details. This could open the door to hackers hijacking the service, streaming any content they wish to TVs. More than 1,000 video service providers worldwide use Ministra, which connects to set-top boxes in customers' homes to deliver video on demand. The management platform is produced by Infomir, a Ukrainian manufacturer, and the STBs can come from various vendors, including the widely used Roku.
In order to receive the television broadcast, the STB connects to Ministra, and service providers use the Ministra platform to manage their clients. If a hacker to gain unauthorized access to this platform, they could expose the provider's financial details of it's customers or change the content sent to the service providers' customers. Researchers were able to leverage several vulnerabilities in the code in order to achieve remote code-execution. First, they used an authentication bypass to perform an SQL Injection on the server. Then they escalated the attack to use an object injection vulnerability, which allowed them to execute arbitrary code on the server. This has the potential to impact not only the provider but also the provider's clients.
Ministra is a PHP-based web platform with an administrative interface that requires authentication. However, researchers were able to bypass the authentication mechanism because it checks the authentication only for AJAX commands. The researchers bypassed the authentication check by not sending this header. After that, researchers were were able to carry out SQL injection. The flaw stems from the prepareDataTableParams function which allows user-controlled data to influence keys which are not sanitized properly later. This function is called from multiple locations in the code, which means this vulnerability can be triggered from other locations.
The $query_param variable is constructed from the prepareDataTableParams result. It is then passed to the getVideoLog function. Researchers perform a reflected SQL injection here, and as a result, was able to return any arbitrary data they wanted to $response['data]. The data is then passed to the setLinksForVideoLog function which uses the unserialize function. This a classic case of an SQL injection leading to object injection vulnerability.
More than 1,000 service providers around the globe, including several in the U.S. use the Ministra system. With a full exploit, hackers can access subscriber data or take over the system to deliver their own content. he vulnerabilities were fixed by Informir in version 5.4.1 but not all vendors may have updated. TV and video services are becoming a target for hackers, with more bugs coming to light and more real-world attacks playing out. In June an un-patched vulnerability in smart TVs was found in the SUPRA Smart Cloud TV brand, which would have allow hackers to hijack the TV set to broadcast their own content including fake emergency broadcast messages. In May, Ricardo Milos greeted Cartoon Network viewers worldwide when they tried to stream shows , thanks to a pair of hackers that targeted the cable network's websites. In April, The Weather Channel was knocked off the air by what it said was a "malicious software attack" on its network. Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, had vulnerabilities that could allow hackers to access Wi-Fi passwords and images stored on the devices. Hackers took advantage of vulnerabilities in Chromecast and Google Home devices to display messages on TVs promotingYouTube star PewDiePie.