Digital signs left wide open with default password

Security researcher Drew Green has pried open an internet-connected digital signage system thanks to a default admin web interface password: an easily changeable password that allowed him into the web interface, from where he stumbled onto a chain of vulnerabilities that could allow a malicious attacker to upload whatever unsavories they’d like to display on people’s signage screens.

On Friday, 90 days after Green says he disclosed the vulnerabilities to the digital signage system maker, he published the specifics.

He had pulled apart the signage system for a client during a full-scope penetration test, and this system happened to be on the network. He couldn’t find anything else to dig into, so Green sunk his hooks into the signage system, named Carousel, which comes from Tightrope Media Systems (TRMS) and which his client was running on a TRMS-supplied device that Green says is “essentially an x86 Windows 10 PC.”

As Green understands it, his client had a television in the lobby that was hooked up to the system in order to display information about the company: for example, when interns graduated college; names and pictures of new hires; and awards the company had received. The systems can also play audio, videos, or images: a good way to give customers their first impression when they’re visiting your company.

Or, on the other hand, a good way to sear visitors’ eyeballs if a hacker figures out how to upload whatever unsavories they like.

Poking around online, Green came across a vulnerability (CVE-2018-14573) on his client’s version of the system that allowed him to read system files. He tried to read protected files, such as the SQL database, but found that he couldn’t. What he could do, though, was to email a backed-up file to himself.

It wasn’t the exact database he was after, though, just a secondary database… one that lacked user authentication details. So Green backed out and found another way to jimmy open the system: namely, an interface that allows users to upload “bulletins,” which are the items that get displayed on the digital signage system.

It accepted ZIP files, but it spat out what Green tried to feed it. He could, however, export one of the system’s existing ZIP files to take a peek at how it liked its files structured. Using that insight, he stuck in two malicious .ASPX files and tried to upload the ZIP file, but no dice: while he could upload the boobytrapped files, he couldn’t locate them in the system.

Until, that is, he found that when files are inserted into the ZIP archives, their path separator was getting flipped around: where you’d expect a standard backslash character (), he saw that it had been changed to a forward-slash (/).

It can’t possibly be that simple

Green switched the character with a hex editor. His thought:

Surely this will not work.

Surely, it did.

That simple edit greased the wheels of his malicious files: into the Carousel system they went, and then onto the main bulletin listing, from whence they could be executed via a web shell.

Green discovered another vulnerability, CVE-2018-18931, that allowed him to jack up privileges on a user account to that of a local administrator. To exploit the bug, he’d need to restart the system, but basic accounts can’t do that. So instead, he sent a command to force a server reboot, and that did the trick.

After the system came back up, I ran a command to view the local users and administrators on the system and found that my account had been created and was now a local admin!

Green notified TRMS of the vulnerabilities in early November. The company responded on 13 November, telling him that it believed the bugs were fixed and asking for his client’s version number, in case the client was on an older, unpatched version.