Security researcher Drew Green has pried open an internet-connected digital signage system thanks to a default admin web interface password: an easily changeable password that allowed him into the web interface, from where he stumbled onto a chain of vulnerabilities that could allow a malicious attacker to upload whatever unsavories they’d like to display on people’s signage screens.
On Friday, 90 days after Green says he disclosed the vulnerabilities to the digital signage system maker, he published the specifics.
He had pulled apart the signage system for a client during a full-scope penetration test, and this system happened to be on the network. He couldn’t find anything else to dig into, so Green sunk his hooks into the signage system, named Carousel, which comes from Tightrope Media Systems (TRMS) and which his client was running on a TRMS-supplied device that Green says is “essentially an x86 Windows 10 PC.”
As Green understands it, his client had a television in the lobby that was hooked up to the system in order to display information about the company: for example, when interns graduated college; names and pictures of new hires; and awards the company had received. The systems can also play audio, videos, or images: a good way to give customers their first impression when they’re visiting your company.
Or, on the other hand, a good way to sear visitors’ eyeballs if a hacker figures out how to upload whatever unsavories they like.
Poking around online, Green came across a vulnerability (CVE-2018-14573) on his client’s version of the system that allowed him to read system files. He tried to read protected files, such as the SQL database, but found that he couldn’t. What he could do, though, was to email a backed-up file to himself.
It wasn’t the exact database he was after, though, just a secondary database… one that lacked user authentication details. So Green backed out and found another way to jimmy open the system: namely, an interface that allows users to upload “bulletins,” which are the items that get displayed on the digital signage system.
It accepted ZIP files, but it spat out what Green tried to feed it. He could, however, export one of the system’s existing ZIP files to take a peek at how it liked its files structured. Using that insight, he stuck in two malicious .ASPX files and tried to upload the ZIP file, but no dice: while he could upload the boobytrapped files, he couldn’t locate them in the system.
Until, that is, he found that when files are inserted into the ZIP archives, their path separator was getting flipped around: where you’d expect a standard backslash character (
), he saw that it had been changed to a forward-slash (
It can’t possibly be that simple
Green switched the character with a hex editor. His thought:
Surely this will not work.
Surely, it did.
That simple edit greased the wheels of his malicious files: into the Carousel system they went, and then onto the main bulletin listing, from whence they could be executed via a web shell.
Green discovered another vulnerability, CVE-2018-18931, that allowed him to jack up privileges on a user account to that of a local administrator. To exploit the bug, he’d need to restart the system, but basic accounts can’t do that. So instead, he sent a command to force a server reboot, and that did the trick.
After the system came back up, I ran a command to view the local users and administrators on the system and found that my account had been created and was now a local admin!
Green notified TRMS of the vulnerabilities in early November. The company responded on 13 November, telling him that it believed the bugs were fixed and asking for his client’s version number, in case the client was on an older, unpatched version.
However, TRMS didn’t ask for specifics about the bugs at the time. But on Tuesday, four days after publishing his findings, TRMS reached out to thank Green for his work and for helping the company to secure the digital signage system.
On Monday, TRMS posted a knowledgebase article detailing the workarounds for mitigating the vulnerabilities that Green found: CVE-2018-14573, CVE-2018-18929, CVE-2018-18930, and CVE-2018-18931.
A patch will ship for all customers later this week, TRMS told Green.
How serious is a pwned sign?
Green used the Shodan search engine to get an idea of how many installations of the Carousel product are exposed on the public internet. The answer: a lot. Some belonged to municipalities or institutions of higher education, so one imagines that vulnerable Carousel systems might be in use in areas where they’re exposed to sizeable numbers of people.
Green didn’t attempt to access any of them. Doing so could have gotten him into moral and legal hot water. Thus, he said he can’t speak to the level of security or exposure other Carousel systems may possess.
But in general, when we’re speaking about pwned signage, I came across recent, related news, leading me to the conclusion that it can get…
Well, that wasn’t very civic-minded. Not good for keeping drivers’ attention focused on the task at hand. Though, arguably, it’s not as distracting as the porn that a hacker broadcast on an Indonesian billboard a few years back.
Regardless of whether your signage is on the scale of a bulletin board or a PC monitor, and regardless of what distraction hackers choose to inflict on viewers – propaganda? Links to malware-laced sites? Bogus emergency alerts or driving instructions? – you just don’t want your digital signage to flash junk.
Thankfully, TRMS jumped on this when it realized the seriousness of the vulnerabilities. Users, please do keep an eye out for the patch this week, and act accordingly.