Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-17124 PoC — Kramer Electronics VIAware 安全漏洞

Source
https://github.com/hessandrew/CVE-2019-17124
Associated Vulnerability
Title:Kramer Electronics VIAware 安全漏洞 (CVE-2019-17124)
Description:Kramer Electronics VIAware是以色列克莱默电子(Kramer Electronics)公司的一套无线演示协作软件解决方案。 Kramer Electronics VIAware 2.5.0719.1034版本中存在安全漏洞。远程攻击者通过发送特制的HTTP请求利用该漏洞在系统上执行任意代码。
Description
KRAMER VIAware 2.5.0719.1034 - Remote Code Execution
Readme
# Exploit Title: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution

Date: 2019-10-02<br/>
Author: Andrew Hess<br/>
Software Link: https://www.kramerav.com/us/product/viaware<br/>
Version: 2.5.0719.1034<br/>
CVE: CVE-2019-17124<br/>

# History

2019.10.02 - Vulnerability discovered<br/>
2019.10.02 - Initial contact with the vendor<br/>
2019.10.04 - Second contact with the vendor<br/>
2019.10.08 - No reply from the vendor<br/>
2019.10.09 - Public security advisory released<br/>

# Software description

All the advanced wireless presentation and collaboration tools offered by VIA Campus can now be used on your own PC to enhance collaborative meetings 
in Corporate environments and interactive learning in Education and training environments. 
From any laptop or mobile device, any in-room meeting participant or trainee can view the main display, 
edit documents together in real time, share any size file, turn the main display into a digital whiteboard, and more. 
VIAware also lets facilitators use e-polling and e-exams to easily and instantly measure how much students & trainees are actually learning. 
VIAware can show up to six user screens on one main display or up to 12 screens on two displays (hardware-dependent) 
and features iOS mirroring for MacBook, iPad, and iPhone as well as native mirroring for Chromebook, Android (Lollipop OS 5.0 or newer), and Windows phone. 
Remote students can easily join the class and collaborate in real time with embedded 3rd-party video conferencing and office apps. 
VIAware delivers the same security offered by all VIA devices and can be installed on any computer running Windows 10, providing IT managers the versatility they need. 
The software works seamlessly with your existing VIA clients and VIA Site Management and offers full support for all VIA Quick Connect features, such as QR Code, NFC Tag and VIA Pad.
VIAware is available as a one-time license with optional annual upgrade subscriptions or as a recurring annual subscription. 


# Exploit description

The VIAware software is installed on a gateway computer that can have two network cards.<br/>
One network card for the internal network and one for the external network (access point) to which the guests connect.<br/>
<br/>
This scenario makes it dangerous because unblocked services can be attacked from the external network.<br/>
<br/>
In our scenario, the web service can be attacked from the external network if it is not blocked by a firewall rule.<br/>
<br/>
The web service is used to make the VIAapp software available to guests.<br/>


# Design

![viaware_network](viaware_network.PNG?raw=true "viaware_network.PNG")


# POC

## Check for VIAware Webservice
![viaware1](viaware1.png?raw=true "viaware1.png")
<br/><br/><br/>
## Call the vulnerable website (https://viaware/browseSystemFiles.php?path=C:\Windows&icon=browser). This site is only for admins, but does not check the session correctly and lets anonymous users on the site.
![viaware2](viaware2.png?raw=true "viaware2.png")
<br/><br/><br/>
## Through this site we can already collect information about the server. But there is more.
![viaware3](viaware3.png?raw=true "viaware3.png")
<br/><br/><br/>
## The rev="string" variable can be adjusted arbitrarily on the client side. This is the string that is written to a file.
![viaware4](viaware4.png?raw=true "viaware4.png")
<br/><br/><br/>
## In our test we put a demo string
![viaware5](viaware5.png?raw=true "viaware5.png")
<br/><br/><br/>
## We can also specify any file in which this script will be written. So it is possible to place shellcode (value="string")
![viaware5_1](viaware5_1.png?raw=true "viaware5_1.png")
<br/><br/><br/>
## Now trigger the action with one click e.g. on notepad.exe<br/>
![viaware6](viaware6.png?raw=true "viaware6.png")
<br/><br/><br/>
## On server side the file was created with content<br/>
![viaware7](viaware7.png?raw=true "viaware7.png")
<br/><br/><br/>
## If we have put an exploit.cmd script into the apache cgi-bin folder, we can execute the script arbitrarily from a browser call.
![viaware8](viaware8.png?raw=true "viaware8.png")
<br/><br/><br/>
## In the standard installation the Apache service runs in the SYSTEM context and executes the scripts as SYSTEM.
![viaware9](viaware9.png?raw=true "viaware9.png")
File Snapshot

 [4.0K]  /data/pocs/4d35eb8aaaec4c5a1c1b853391189d68dd412f99
├── [4.3K]  README.md
├── [ 39K]  viaware1.png
├── [ 19K]  viaware2.png
├── [195K]  viaware3.png
├── [ 29K]  viaware4.png
├── [ 79K]  viaware5_1.png
├── [ 48K]  viaware5.png
├── [ 18K]  viaware6.png
├── [ 84K]  viaware7.png
├── [ 39K]  viaware8.png
├── [ 17K]  viaware9.png
└── [153K]  viaware_network.PNG

0 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.