Crestron AM-100 1.2.1 Path Traversal / Hard-Coded Credentials

Crestron AM-100 versions through 1.2.1 suffer from hard-coded credential and path traversal vulnerabilities.

MD5 | 5b5026c9de1a7593e6278ffca75951c1

# Crestron AM-100 (Multiple Vulnerabilities)
# Date: 2016-08-01
# Exploit Author: Zach Lanier
# Vendor Homepage:
# Version: v1.1.1.11 - v1.2.1
# CVE: CVE-2016-5639
# References:

The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.

1) Path Traversal

GET request:

2) Hidden Management Console

The AM-100 has a hardcoded default credential of rdtool::mistral5885
This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).

3) Hardcoded credentials

The default root password for these devices is root::awind5885
Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.

Related Posts