Alexei Kojenov

5 exploits Active since Oct 2020
CVE-2020-24215 EXPLOITDB CRITICAL bash WORKING POC
HiSilicon IPTV/H.264/H.265 - RCE
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.
CVSS 9.8
CVE-2020-24217 EXPLOITDB CRITICAL bash WORKING POC
HiSilicon box - RCE
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
CVSS 9.8
CVE-2020-24217 EXPLOITDB CRITICAL bash WORKING POC
HiSilicon box - RCE
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
CVSS 9.8
CVE-2020-24219 EXPLOITDB HIGH bash WORKING POC
URayTech IPTV/H.264/H.265 <1.97 - Path Traversal
An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.
CVSS 7.5
CVE-2020-24214 EXPLOITDB CRITICAL bash WORKING POC
HiSilicon box - Buffer Overflow
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to cause a buffer overflow and application crash. The device will not be able to perform its main purpose of video encoding and streaming for up to a minute, until it automatically reboots. Attackers can send malicious requests once a minute, effectively disabling the device.
CVSS 9.8