Many Infomir IPTV Boxes Vulnerable to Remote Code Execution

Written by Bill Toulas
Published on June 6, 2019

Infomir is a Ukrainian IPTV box manufacturer that had occupied our columns before when they tried to lock down their popular MAG boxes to prevent pirating activities. According to Check Point researchers, these boxes are vulnerable to a remote code execution flaw that they discovered and reported to Infomir, allowing the company to fix them. As many of these boxes were distributed to retailers a long time ago, and with many of them not having applied any updates on the streaming management system of these boxes, there’s a high chance that clients of these service providers are vulnerable to remote code execution and malicious content serving.

Infomir boxes are a video on demand and streaming devices with IPTV capabilities that pass through the Ministra client management platform. The flaw lies in this point, allowing an attacker to potentially gain unauthorized access to the communication platform, and doing everything from exposing the victim’s financial details to sending whatever streams they want to the client box.

sql injection code

image source:

The Ministra vulnerability is based on the bypassing of the authentication step, so an attacker can get full control of the administration panel of the management server by utilizing some AJAX API functions that are accessible without authentication. From there on the attack surface widens, and then comes SQL injection, opening the door to arbitrary code execution, making the exploitation possibilities limitless.

This is a classic example of an escalation of a small problem into a huge one, as a small-scale security flaw can eventually lead to the complete takeover of the management server through a series of steps. While the vulnerabilities were fixed in version 5.4.1, many vendors are still selling flawed boxes that put their users at high risk. Right now, the number of the vulnerable boxes out there is unknown, but Check Point researchers believe this number could be a significant one.

Ministra instances density

image source:

The above map shows the number of Ministra instances, with each one corresponding to an individual service provider. Counting about 1000 service providers, and by estimating at least a couple of hundreds of boxes being served by each one, the total number of users could be in the hundreds of thousands. If you own an IPTV box made by Infomir and you don’t know how to determine whether you’re vulnerable or not, call your service provider and ask what they have done for the “Infomir Ministra SQL Injection Remote Code Execution” flaw. If the answer that you’ll get is not convincing, chances are that you’re vulnerable.

Have something to share about this story? Do so in the comments down below, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: