[BreachExchange] Vulnerability found in digital signage system

Destry Winant destry at riskbasedsecurity.com
Thu Feb 7 08:30:54 EST 2019


http://www.ehackingnews.com/2019/02/vulnerability-found-in-digital-signage.html

A swathe of severe vulnerabilities was found in Tightrope Media
Systems’ digital signage system.

A researcher has uncovered severe vulnerabilities in digital signage
software developed by Tightrope Media Systems (TRMS) thanks to the use
of a default password.

The findings were made due to a recent penetration test of the
Carousel system conducted by cybersecurity researcher Drew Green.

Green's client was making use of the software on an appliance provided
by TRMS which the researcher describes as "essentially an x86 Windows
10 PC."

The researcher decided to explore further. TRMS's Carousel system
allows users to upload "bulletins" which are the items displayed on
digital signs.

The interface accepts .ZIP files for uploads, and during testing,
Green was not only able to export existing, legitimate bulletins, but
was also able to upload a .ZIP file containing two malicious files to
Carousel.

However, the researcher came across a stumbling block when he
attempted to travel to the URL of the malicious files.

"It appeared that when inserting files into this ZIP archive, the path
separator for files and directories was being set to the forward-slash
character ("/") rather than the backslash character ("\")," Green
said. "This caused the files I added to be discarded by the server
upon upload. I was eventually able to see this clearly by opening the
file in a hex editor."

In order to overcome this barrier, all it took was for the researcher
to manually change the characters in question. Green was then able to
execute commands on the system via a web shell.

With access assured, the researcher uploaded a Powershell file which
connected a remote shell back to his system -- granting Green the
ability to upload arbitrary files and remotely execute code.

Another vulnerability, CVE-2018-18931, was uncovered which allowed the
researcher to bump up privileges on a user account to a local
administrator, and while exploiting the bug required a system restart
-- something basic accounts cannot do -- he was able to send a command
to force a reboot and trigger the exploit.


More information about the BreachExchange mailing list