Crestron DMC-STRO Remote Root RCE
Affected Products and Versions: CRESTRON DMC-STRO firmware 1.0
A critical vulnerability was discovered in Descor Infocad FM v2016.1.5.0 through v126.96.36.199,
the unauthenticated web service GlobalReaderWCF allows the download of arbitrary files from local disks and remote SMB shares via an unsanitized user-controlled field.
Depending on the version, configuration files with clear-text passwords can be retrieved (version < 188.8.131.52),
also depending on the host configuration and whether or not the machine is joined to a domain, ntlm relay attacks may be possible.
the CTP Console allows, through Bash Command Substitution on the ‘ping’ command parameters, to execute commands on the device on behalf of the root user.
Through the usage of a DNS Covert Channel it was possible to enumerate the binaries available under /bin and /usr/bin. Enumerating the content of such directories it was possible to find out that the Lua interpreter was available. Therefore I wrote down a Lua script that executes commands on the target, encrypts the result in base64 chunks, and send them back to the C2 through DNS Queries.
From the C2 it is then possible to rechain the base64 chunks and decode the payload back to obtain the result of the executed command
We suggest to block such connections with a firewall rule. Furthermore update the DMC STRO firmware
Gabrio Tognozzi <email@example.com>; <firstname.lastname@example.org>
19/09/2019 Vulnerability was reported to the vendor
07/10/2019 Vulnerability was confirmed to be on the queue to fix
27/11/2019 Vulnerability details published