Main Vulnerability Database Exploits ID:2069 - Exploit for OS command injection in Crestron Electronics products - CVE-2018-11228

ID:2069 - Exploit for OS command injection in Crestron Electronics products - CVE-2018-11228

Published: March 18, 2020

Vulnerability identifier: #VU14300

Vulnerability risk: High

CVE-ID: CVE-2018-11228

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
TSW-560-NC
TSW-760-NC
TSW-1060-NC
TSW-560
TSW-760
TSW-1060

Link to public exploit:

https://github.com/axcheron/crestron_getsudopwd

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote unauthenticated attacker can submit a specially crafted input via a Bash shell service in Crestron Toolbox Protocol (CTP) and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update the affected software to version 2.001.0037.001.

ID:2069 - Exploit for OS command injection in Crestron Electronics products - CVE-2018-11228

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human