Skip to content
cyberexploits
remotehardwaretext

Crestron AM-100 - Multiple Vulnerabilities

Crestron AM-100 - Multiple Vulnerabilities

Publié le 2016-11-22

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/remote/40813.txt7eac4c3a
raw
=================================================================

# Crestron AM-100 (Multiple Vulnerabilities)

=================================================================

# Date: 2016-08-01

# Exploit Author: Zach Lanier

# Vendor Homepage: https://www.crestron.com/products/model/am-100

# Version: v1.1.1.11 - v1.2.1

# CVE: CVE-2016-5639 

# References: 

#   https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi

#   https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md



Description:

The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.



1) Path Traversal



GET request: 

http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow



2) Hidden Management Console



http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi

The AM-100 has a hardcoded default credential of rdtool::mistral5885

This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).



3) Hardcoded credentials



The default root password for these devices is root::awind5885

Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.





Voir sur GitHub