WePresent file_transfer.cgi Remote Command Execution - Nessus

Critical   Plugin ID: 124367

This page contains detailed information about the WePresent file_transfer.cgi Remote Command Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 124367
Name: WePresent file_transfer.cgi Remote Command Execution
Filename: barco_wepresent_rce.nbin
Vulnerability Published: 2019-04-30
This Plugin Published: 2019-04-30
Last Modification Time: 2022-04-22
Plugin Version: 1.26
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: http_version.nasl

Vulnerability Information

Severity: Critical
Vulnerability Published: 2019-04-30
Patch Published: 2019-04-30
CVE [?]: CVE-2019-3929
CPE [?]: N/A

Synopsis

The remote router is affected by a remote command execution vulnerability.

Description

The remote device is affected by a remote command execution vulnerability due to improper sanitization of user-supplied input passed via /cgi-bin/file_transfer.cgi. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to execute arbitrary commands on the device. Note that Nessus has detected this vulnerability by reading the contents of file /proc/cpuinfo.

Solution

Contact the manufacturer for a firmware update.

Public Exploits

Target Network Port(s): 443
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the WePresent file_transfer.cgi Remote Command Execution vulnerability:

  1. Metasploit: exploit/linux/http/wepresent_cmd_injection
    [Barco WePresent file_transfer.cgi Command Injection]
  2. Exploit-DB: exploits/linux/remote/47924.rb
    [EDB-47924: Barco WePresent - file_transfer.cgi Command Injection (Metasploit)]
  3. Exploit-DB: exploits/hardware/webapps/46786.txt
    [EDB-46786: Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection]
  4. GitHub: https://github.com/xfox64x/CVE-2019-3929
    [CVE-2019-3929: Crestron/Barco/Extron/InFocus/TeqAV Remote Command Injection (CVE-2019-3929) ...]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2019-3929
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.7 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.7 (High)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS Base Score:9.8 (Critical)
Impact Subscore:5.9
Exploitability Subscore:3.9
CVSS Temporal Score:9.4 (Critical)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:9.4 (Critical)

Go back to menu.

Plugin Source

The barco_wepresent_rce.nbin Nessus plugin is distributed in a propriatory binary format and its source code is protected. This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/barco_wepresent_rce.nbin
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\barco_wepresent_rce.nbin
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/barco_wepresent_rce.nbin

Go back to menu.

How to Run

Here is how to run the WePresent file_transfer.cgi Remote Command Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select WePresent file_transfer.cgi Remote Command Execution plugin ID 124367.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl barco_wepresent_rce.nbin -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a barco_wepresent_rce.nbin -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - barco_wepresent_rce.nbin -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state barco_wepresent_rce.nbin -t <IP/HOST>

Go back to menu.

References

TRA | Tenable Research Advisory: See also: Similar and related Nessus plugins:
  • 159548 - VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0011)
  • 10099 - Matt Wright guestbook.pl Arbitrary Command Execution
  • 10128 - SGI InfoSearch infosrch.cgi fname Parameter Arbitrary Command Execution
  • 10176 - Multiple Vendor phf CGI Arbitrary Command Execution
  • 104126 - D-Link DIR-300L/600L Remote Command Execution
  • 104129 - Linksys E1500/E2500 Authenticated Command Execution
  • 119728 - Apache Struts 2 'method:' Prefix Arbitrary Remote Command Execution
  • 127911 - Webmin 1.890 - 1.920 Remote Command Execution (CVE-2019-15107, CVE-2019-15231)
  • 130168 - vBulletin 'widget_php' Command Execution
  • 146488 - Webmin <= 1.910 Remote Command Execution
  • 160208 - WSO2 Multiple Products File Upload Remote Command Execution (CVE-2022-29464)
  • 16189 - AWStats awstats.pl configdir Parameter Arbitrary Command Execution
  • 19555 - HP OpenView Network Node Manager Multiple Scripts Remote Command Execution
  • 19704 - TWiki 'rev' Parameter Arbitrary Command Execution
  • 21328 - AWStats migrate Parameter Arbitrary Command Execution
  • 22123 - TWiki configure Script Arbitrary Command Execution
  • 23963 - Cacti cmd.php Multiple Parameter SQL Injection Arbitrary Command Execution
  • 23966 - Ultimate PHP Board chat/login.php username Parameter Arbitrary Command Execution
  • 25674 - AsteriDex callboth.php Multiple Parameter CRLF Injection Arbitrary Command Execution
  • 26968 - TikiWiki tiki-graph_formula.php f Parameter Arbitrary Command Execution
  • 30124 - Smart Publisher index.php filedata Parameter Arbitrary Command Execution
  • 30132 - Coppermine imageObjectIM.class.php Command Execution Vulnerabilities
  • 31167 - Sniplets Plugin for WordPress execute.php 'text' Parameter Arbitrary Command Execution
  • 34292 - Observer <= 0.3.2.1 Multiple Remote Command Execution Vulnerabilities

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file barco_wepresent_rce.nbin version 1.26. For more plugins, visit the Nessus Plugin Library.

Go back to menu.