Critical vulnerabilities in digital signage system could allow access to attackers through default passwords

• Attackers could gain access into the web-interface of the digital signage system due to an unchanged default administrator password.
• A security researcher after accessing the web interface through default password identified references online to an arbitrary file read (LFI) vulnerability present in the digital signage software's RenderingFetch API function.

A security researcher named Drew Green spotted several severe vulnerabilities in Tightrope Media Systems’ digital signage system. Drew Green spotted these vulnerabilities during a penetration test of the Carousel system. The researcher explained in a blog that his client was making use of the software on an appliance provided by TRMS which was ‘essentially an x86 Windows 10 PC’.

Attackers could access web interface via default password

Green stated that he could gain access into the web-interface of the digital signage system due to an unchanged default admin password (CVE-2018-18929).

Upon gaining access into the web-interface, Green identified references online to an arbitrary file read (LFI) vulnerability present in the digital signage software’s RenderingFetch API function (CVE-2018-14573). The researcher described that he was able to successfully read files on the system by reading the CVE and the API documentation.

The web interface allows users to upload bulletins

The researcher further explored the Carousel web interface and found out that the web interface allows users to upload ‘bulletins’ on the digital signage screen. Green also found out that the web interface accepts ZIP files for uploading bulletins. However, while he attempted to upload files, it rejected as the file was not properly formatted.

“In order to identify the format of these files, I found that I could export an existing bulletin and then open this ZIP file up on my system to look at the structure. Inside of the file, there is a folder called ‘Pages’, with another folder within that named with a random GUID. I inserted two malicious .ASPX files and then attempted to upload the file. After this, I was able to successfully upload the ZIP file to the system,” Drew Green described in his blog.

However, Green came across obstacles when he attempted to travel to the URL of the malicious files.

“It appeared that when inserting files into this ZIP archive, the path separator for files and directories was being set to the forward-slash character (/) rather than the backslash character (\). This caused the files I added to be discarded by the server upon upload. I was eventually able to see this clearly by opening the file in a hex editor,” Green explained.

In order to overcome the obstacle, Green manually changed the characters, he was then able to execute commands on the system via a web shell.

Privilege escalation vulnerability

The security researcher spotted another vulnerability (CVE-2018-18931) which allowed him to escalate privileges on a user account to a local administrator, and while exploiting the vulnerability required a system restart.

“After making the SMB port available to remote systems, I was able to authenticate via SMB with Metasploit and have full control over the system conveniently. This privilege-escalation vulnerability has been assigned CVE-2018-18931,” the researcher said.

Drew Green reported his findings to Tightrope Media Systems in November 2018. The company responded back saying that the vulnerabilities were fixed and they did not follow up to know the specifics of the bugs found.

“They have not followed up with me to discuss with them the specifics of these vulnerabilities. Now that approximately 90 days have elapsed since original disclosure, this information is being made publicly available,” Drew Green concluded.