Skip to main content

Posts

Showing posts from December, 2017

3 Years of DirecTV User-Agent Command Injection

I found a bug in one of my DirecTV devices in 2015 after I got DirecTV. DirecTV didn't have a bug bounty program at that time so I used it as a demo in my classes. When AT&T bought DirecTV it then fell under AT&T's bug bounty, which is awarded quarterly. I forgot to submit it in the first post-merger quarger (2015Q4), so I submitted it 2016Q1. Screenshots from the bug bounty submission are at the bottom of this post.

EDIT: I in NO way want to steal the thunder from Ricky Lawshae and or diminish his hard work (although I think we can both agree this is about the lamest work either of use have ever had to do ;) ). My goal is to show how long crappy bugs like this sit.

I got bored a few years ago and decided to see what services the devices in my house expose.  A simple Nmap scan found listening web server on one of the devices. I browsed to it and I see this:


This is one of my DirecTV devices (I have DirecTV, solely so I can watch my precious Green Bay Packers on Sundays.…