Skip to content

Vulnerable functionality is in automatic USB upgrade process. It is possible to inject additional commands via malicious files names.

License

Notifications You must be signed in to change notification settings

Ivan-Markovic/Command-injections-via-USB-upgrade-in-MSTAR-Set-Top-box

Repository files navigation

Command-injections-via-USB-upgrade-in-MSTAR-Set-Top-box

While I was working on diagnostic device for some of my clients I found command injections in MSTAR Set-Top box products. Diagnostic device is not specially target this vendor but we used it in development phase and for testing. Vulnerable functionality is in automatic USB upgrade process. It is possible to inject additional commands via malicious files names.

For example, to upgrade your Set-Top box, you just need to put firmware file on USB drive with filename "auto_upgrade.bin" and after you insert it and restart device, it will be automaticaly upgraded. This fuctionality can be also exploited by inserting additional commands in filename.

Full advisory: https://security-net.biz/set-top-box-command-injection-mstar-uboot-usb-upgrade.html

About

Vulnerable functionality is in automatic USB upgrade process. It is possible to inject additional commands via malicious files names.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published