enigma2-plugin-extensions-webadmin Remote Code Execution

Severity: CRITICAL/TRIVIAL

Discovered by:
Fabian Fingerle (@otih__)
https://fabian-fingerle.de

enigma2-plugin-extensions-webadmin:
The enigma2-plugin-extensions-webadmin Plugin is a web frontend for the
OPKG or APT package manager. With the webadmin it's possible to install
or remove packages, and many other functions over the webinterface of
the Dreambox. Therefore Enigma2 is the new operating system of the
Dreamboxes, which is in continuosly development.

Desc:
An independent research uncovered a critical vulnerability in badly
configured webadmin plugin of many thousand enigma2 boxes in the wild.
This misconfiguration could be used by unauthenticated remote attackers
to achieve remote arbitrary code execution in the context of root
superuser. To exploit the vulnerability an attacker could target common
ISP networks for dial-in users.

Patching:
Enable authentication for enigma2-plugin-extensions-webadmin
Do not share any private services on the public internet without VPN
etc.

Notes:
This notice is not new to the enigma2 community but need to be
addressed.
No official vendor is responsible for enforcing authentication,
encryption and securing enigma2 boxes.
I want people to immediately reconfigure or at least be aware of the
issue before these devices will be part of the next big IoT botnet.

Exploit:
$ pypy exploit.py 1.2.3.256 "id;uptime"
[+] Randfilename is .pkWnzmOrFsIc.sh
[+] Submitted random file to remote host
[+] Exploit seems to work: 
* * *

uid=0(root) gid=0(root)  
22:36:21 up 7 days, 7:39, 0 users, load average: 0.00, 0.01, 0.05  

* * *


[+] cleanup randfile

For updates follow:

https://twitter.com/otih__

I'll send another email to the list once the trivial "exploit" is
published.

-- 
Regards,
Fabian Fingerle - aka otih
https://fabian-fingerle.de
t: @otih__