Security Vulnerability Advisory ------------------------------- CVE: CVE-2019-12304 Publication Date: 04/29/2020 Revision: 1.0 Link: https://digital.security/advisories/cert-ds_advisory-ezcast_pro_ii_arbitrary_file_upload-cve-2019-12304.txt Title ----- Arbitrary File Upload leading to Unauthenticated Remote Code Execution Overview -------- The EZCast administration panel allows unauthenticated users to upload documents at arbitrary locations. This can be used to execute arbitrary code on the device. Affected Products ----------------- - EZCast Pro II Details ------- The EZCast allows unauthenticated users to upload files through http://192.168.168.1/upload.html. This file is normally written in /tmp but by manipulating the upload POST request it is possible to change the filename to an arbitrary path. The file is written with root privileges. Furthermore we noticed that, when accesing http://192.168.168.1/cgi-bin/conference-control.cgi the script complains about the missing executable "ifconfig". This means that if we upload an executable named ifconfig then by accessing conference-control.cgi we will execute our arbitrary code with root privileges, providing us with complete control over the system. All of this is doable remotely from an unauthenticated user. From there an attacker can record presentations displayed on the device, set up backdoors for long-time access, attack other networks to which the device is connected or completely destroy the system. Factory reset doesn't actually reset most of the system so this would not be enough to remove backdoors or fix a broken system. CVSSv3 Overall Score: 9.6 CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Solution -------- As of 08/04/2019, EZCast declared that a firmware upgrade fixing this issue is available "over-the-air". Make sure to upgrade the firmware using your prefered app from EZcast, see Support section: https://ezcast-pro.com/ezcast-pro/pro2/ Credits ------- This vulnerability was discovered by Cédric Picard from digital.security Luxembourg and Pieterjan Denys from digital.security Belgium. Revision History ---------------- Revision 0.1: 05/14/2019 / Initial draft Revision 1.0: 04/29/2020 / Advisory publication Timeline -------- 2019.04.19 Vulnerability found during client audit - that client is informed 2019.05.14 Vulnerability reported to CERT-DS 2019.05.23 Vulnerability reported to EZCast 2020.04.29 Advisory publication References ---------- https://www.ezcast.com/product/ezcast/pro/dongle2