CVE-2019-17124: GitHub - hessandrew/CVE-2019-17124: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution

Exploit Title: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution

Date: 2019-10-02
Author: Andrew Hess
Software Link: https://www.kramerav.com/us/product/viaware
Version: 2.5.0719.1034
CVE: CVE-2019-17124

History

2019.10.02 - Vulnerability discovered
2019.10.02 - Initial contact with the vendor
2019.10.04 - Second contact with the vendor
2019.10.08 - No reply from the vendor
2019.10.09 - Public security advisory released

Software description

All the advanced wireless presentation and collaboration tools offered by VIA Campus can now be used on your own PC to enhance collaborative meetings in Corporate environments and interactive learning in Education and training environments. From any laptop or mobile device, any in-room meeting participant or trainee can view the main display, edit documents together in real time, share any size file, turn the main display into a digital whiteboard, and more. VIAware also lets facilitators use e-polling and e-exams to easily and instantly measure how much students & trainees are actually learning. VIAware can show up to six user screens on one main display or up to 12 screens on two displays (hardware-dependent) and features iOS mirroring for MacBook, iPad, and iPhone as well as native mirroring for Chromebook, Android (Lollipop OS 5.0 or newer), and Windows phone. Remote students can easily join the class and collaborate in real time with embedded 3rd-party video conferencing and office apps. VIAware delivers the same security offered by all VIA devices and can be installed on any computer running Windows 10, providing IT managers the versatility they need. The software works seamlessly with your existing VIA clients and VIA Site Management and offers full support for all VIA Quick Connect features, such as QR Code, NFC Tag and VIA Pad. VIAware is available as a one-time license with optional annual upgrade subscriptions or as a recurring annual subscription.

Exploit description

The VIAware software is installed on a gateway computer that can have two network cards.
One network card for the internal network and one for the external network (access point) to which the guests connect.

This scenario makes it dangerous because unblocked services can be attacked from the external network.

In our scenario, the web service can be attacked from the external network if it is not blocked by a firewall rule.

The web service is used to make the VIAapp software available to guests.

Design

POC****Check for VIAware Webservice

Call the vulnerable website (https://viaware/browseSystemFiles.php?path=C:\Windows&icon=browser). This site is only for admins, but does not check the session correctly and lets anonymous users on the site.

Through this site we can already collect information about the server. But there is more.

The rev="string" variable can be adjusted arbitrarily on the client side. This is the string that is written to a file.

In our test we put a demo string

We can also specify any file in which this script will be written. So it is possible to place shellcode (value="string")

**Now trigger the action with one click e.g. on notepad.exe
**

**On server side the file was created with content
**

If we have put an exploit.cmd script into the apache cgi-bin folder, we can execute the script arbitrarily from a browser call.

In the standard installation the Apache service runs in the SYSTEM context and executes the scripts as SYSTEM.