Crestron AM-100 (Multiple Vulnerabilities)

vendor:

AirMedia AM-100

by:

Zach Lanier

7,5

CVSS

HIGH

Path Traversal, Hidden Management Console, Hardcoded credentials

CWE

Product Name: AirMedia AM-100

Affected Version From: v1.1.1.11

Affected Version To: v1.2.1

Patch Exists: YES

Related CWE: CVE-2016-5639

CPE: o:crestron:airmedia_am-100

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2016

Crestron AM-100 (Multiple Vulnerabilities)

The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues. GET request: http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow. The AM-100 has a hardcoded default credential of rdtool::mistral5885. This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode). The default root password for these devices is root::awind5885. Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.

Mitigation:

Upgrade to the latest version of the Crestron AirMedia AM-100 firmware.

Source

Exploit-DB raw data:

=================================================================
# Crestron AM-100 (Multiple Vulnerabilities)
=================================================================
# Date: 2016-08-01
# Exploit Author: Zach Lanier
# Vendor Homepage: https://www.crestron.com/products/model/am-100
# Version: v1.1.1.11 - v1.2.1
# CVE: CVE-2016-5639 
# References: 
#   https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi
#   https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md

Description:
The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.

1) Path Traversal

GET request: 
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow

2) Hidden Management Console

http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi
The AM-100 has a hardcoded default credential of rdtool::mistral5885
This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).

3) Hardcoded credentials

The default root password for these devices is root::awind5885
Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.