A suite of critical remote code-execution vulnerabilities in a streaming TV platform could expose entire databases of subscribers’ personal info and financial details – and could open the door to attackers hijacking the service, streaming any content they wish to customer screens.

According to Check Point Research, more than 1,000 video service providers (mostly those providing their own “over-the-top” (OTT)/streaming services) worldwide use the impacted platform, known as Ministra, which connects to set-top boxes (STBs) in customer homes to deliver video on demand (VOD) content. The management platform is produced by Infomir, a Ukrainian manufacturer, and the STBs can come from various vendors, including the widely deployed Roku.

“In order to receive the television broadcast, the STB connects to the Ministra [platform], and service providers use the Ministra platform to manage their clients,” Check Point researchers said in an analysis, posted Wednesday. “Were an attacker to gain unauthorized access to this platform, they could essentially expose the provider’s customer base’s financial details or change the content sent to the service providers’ customers.”

Check Point researchers were able to string together several holes in the code in order to achieve remote code-execution (RCE). First, they used an authentication bypass to perform an SQL Injection on the server. With that knowledge, they escalated the attack to use an object injection vulnerability, which in turn allowed them to execute arbitrary code on the server, potentially impacting not only the provider but also the provider’s clients.

“A small logical bug can sometimes be leveraged to a critical security issue,” noted the researchers.

A Full Attack Chain

Ministra is a PHP-based web platform with an administrative interface that requires authentication. However, Check Point researchers were able to bypass the authentication mechanism because it checks the authentication only for AJAX commands.

“We managed to bypass the authentication check by not sending this header,” according to Check Point.

From there, they were able to carry out SQL injection: “The root cause of this vulnerability is that the `prepareDataTableParams` function allows user-controlled data to influence keys which are not sanitized properly later,” they explained. “Also, this function is called from multiple locations in the code, which means this vulnerability can be triggered from other locations.”

The next step was to chained this SQL injection to an unauthenticated object injection exploit.

“The `$query_param` variable is constructed from the `prepareDataTableParams` result, and then passed to the `getVideoLog` function,” explained the researchers. “We can perform a reflected SQL injection here, and as a result, return any arbitrary data we want to `$response[‘data’]`. The data is later passed to the `setLinksForVideoLog` function which uses the `unserialize` function. So here we have a classic case of an SQL injection leading to object injection vulnerability.”

The next step was to achieve RCE, which the researchers were able to do after finding a weakness in the code’s SwiftMailer library class.

“By calling the `write` function, the system tries to either send the `$command` over a socket or write it to a file,” the analysts explained. “However, because we control the `$this->_buffer` property, we can set it to any object we want that implements the `write` function….At the end, we control the path and the content of the file. With this primitive, we can write arbitrary PHP files and get remote code execution on the server.”

Impact

As mentioned, more than 1,000 service providers around the globe (including several in the U.S.) make use of the Ministra system, according to Check Point’s scans (the firm didn’t release provider names, however subscribers will be aware that they’re using the Ministra app to access subscription content on their STB). With a full exploit, attackers could access subscriber data or take over the system to deliver their own content.

The vulnerabilities were fixed by Informir in version 5.4.1 of Ministra (previously sold under the name “Stalker”), but not all vendors may have updated.

“Due to some resellers likely not to have patched their service, and therefore are still at risk of attack, we advise customers to contact their TV streaming service provider to ensure they have implemented the protection against this Ministra vulnerability,” according to Check Point.

Ricardo Milos and Other Attacks on TV

TV and video services are an emerging target for cybercriminals, with more bugs coming to light and more real-world attacks playing out.

Earlier in June an unpatched vulnerability in smart TVs came to light in the SUPRA Smart Cloud TV brand, which would allow attackers to hijack the TV set to broadcast their own content – including, potentially, fake emergency broadcast messages.

Networks are in the crosshairs too: In May, a famous Brazilian male stripper named Ricardo Milos greeted Cartoon Network viewers worldwide when they tried to stream shows – thanks to a pair of hackers that took aim at the cable network’s websites across 16 different regions. And in April, The Weather Channel – a trusted cable network source of meteorological data across the U.S. – was knocked off the air by what it said was a “malicious software attack” on its network.

Also that month, two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, were found that could allow attackers to access Wi-Fi passwords and images stored on the devices.

And in January, hackers took advantage of vulnerable Chromecast and Google Home devices to display messages on consumer TVs promoting well-known YouTube star PewDiePie.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpostand a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.