| Título | RoomCast TA-2400 - CVE-2023-33745 - IMPROPER ACCESS CONTROL |
|---|
| Descripción | CVE-2023-33745: IMPROPER PRIVILEGE MANAGEMENT in ANDROID NODE in TELEADAPT ROOMCAST TA-2400 1.0.0 AND LATER allows LOCAL to ROOT ELEVATION via ANDROID SHELL
Vulnerabilty Type: CWE-269: Improper Privilege Management
Vulnerabilty Description: The Android component of the RoomCast device, specifically the Android fork of Lollipop 5.1.1, presents a notable vulnerability: the Android Debug Bridge (ADB) has been left open. This configuration allows an attacker to establish a shell on the Android node without requiring any authentication. Once a shell is successfully accessed, the attacker can exploit improper privilege management, effortlessly elevating their privileges to root.
Device: RoomCast TA-2400
Software: Android Lollipop 5.1.1 fork
RoomCast Component: Android OS
CVSS Base Score: Critical Risk - 7.8
CVSS Temporal Score: Critical Risk - 7.4
CVSS v3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C
Proof of Concept
In this section, we present a detailed proof of concept (PoC) to illustrate the identified vulnerability within the RoomCast TA-2400 device. The PoC provides step-by-step instructions for identifying the vulnerability and successfully exploiting it. It is important to note that for testing the PoC, we recommend using a Linux-based environment, which offers the necessary tools and compatibility for conducting the tests accurately and reliably.
1. Connect your host device to the RoomCast network using either the Ethernet LAN1 port or by connecting to the wireless network created by RoomCast system.
2. Utilize a network scanning tool such as nmap to scan the local network and identify the IP address of the Android node. Run the following command to scan the specific RoomCast network subnet
Command: sudo nmap 192.168.20.0/24
3. Evaluate the scan results from step 2 and locate the IP address of the Android node. In your scan results, the Android node should be the result with port 5555 open. Additionally, the name of the Android node follows a pattern similar to “android-xxxxxxxxxxxx.lan”.
4. Establish a connection to port 5555 on the Android node by using a common linux command line tool named “adb”. Run the following command; For this example, the Android node IP address is 192.168.20.123
Command: sudo adb connect 192.168.20.123
5. Once a connection has been established in step 4, run the following command to gain a non-root shell on the Android node;
Command: sudo adb shell
6. Elevate your current shell privileges but becoming a root user with the following command;
Command: su
Now, the terminal session is running with root privileges, granting you full and complete access to the Android node. This represents a completed compromise of the Android node, providing unrestricted control over its operations and configurations. |
|---|
| Fuente | ⚠️ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33745 |
|---|
| Usuario | jTag Labs (UID 51246) |
|---|
| Sumisión | 2023-07-21 03:52 (hace 3 años) |
|---|
| Moderación | 2023-07-28 07:09 (7 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 235614 [TeleAdapt RoomCast TA-2400 hasta 3.1 ADB Local Privilege Escalation] |
|---|
| Puntos | 20 |
|---|