Crestron dmc-stro remote root rce

CVEID: CVE-2019-18184
Affected Products and Versions: CRESTRON DMC-STRO firmware 1.0

Executive Summary
A critical vulnerability was discovered in the CTP console of the CRESTRON DMC-STRO device, that allows through bash command substitution to execute commands on the system, on behalf of the root user.

Additional Information
the CTP Console allows, through Bash Command Substitution on the ‘ping’ command parameters, to execute commands on the device on behalf of the root user.

RCE DMC-STRO in ping parameters

Through the usage of a DNS Covert Channel it was possible to enumerate the binaries available under /bin and /usr/bin. Enumerating the content of such directories it was possible to find out that the Lua interpreter was available. Therefore I wrote down a Lua script that executes commands on the target, encrypts the result in base64 chunks, and send them back to the C2 through DNS Queries.

From the C2 it is then possible to rechain the base64 chunks and decode the payload back to obtain the result of the executed command.

Decode Base64 encoded payload

Remediation:
We suggest to block such connections with a firewall rule. Furthermore update the DMC STRO firmware

Discoverer:
Gabrio Tognozzi <g.tognozzi AT NOISESKIPME quantumleap.it>; <gtognozzi AT NOISESKIPME deloitte.it>

Timeline:
19/09/2019 Vulnerability was reported to the vendor
07/10/2019 Vulnerability was confirmed to be on the queue to fix
27/11/2019 Vulnerability details published