CVE-2018-18930

The Tightrope Media Carousel digital signage product 7.0.4.104 contains an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. An authenticated attacker can upload a crafted ZIP file (based on an exported backup of existing "Bulletins") containing a malicious file. When uploaded, the system only checks for the presence of the needed files within the ZIP and, as long as the malicious file is named properly, will extract all contained files to a new directory on the system, named with a random GUID. The attacker can determine this GUID by previewing an image from the uploaded Bulletin within the web UI. Once the GUID is determined, the attacker can navigate to the malicious file and execute it. In testing, an ASPX web shell was uploaded, allowing for remote-code execution in the context of a restricted IIS user.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.drewgreen.net/vulnerabilities-in-tightrope-media-systems-carousel/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:trms:carousel_digital_signage:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-29 20:15

Updated : 2023-12-10 13:13

NVD link : CVE-2018-18930

Mitre link : CVE-2018-18930

CVE.ORG link : CVE-2018-18930

JSON object : View

Products Affected

trms

carousel_digital_signage

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2018-18930", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-10-29T20:15:10.803", "references": [{"url": "https://www.drewgreen.net/vulnerabilities-in-tightrope-media-systems-carousel/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The Tightrope Media Carousel digital signage product 7.0.4.104 contains an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. An authenticated attacker can upload a crafted ZIP file (based on an exported backup of existing \"Bulletins\") containing a malicious file. When uploaded, the system only checks for the presence of the needed files within the ZIP and, as long as the malicious file is named properly, will extract all contained files to a new directory on the system, named with a random GUID. The attacker can determine this GUID by previewing an image from the uploaded Bulletin within the web UI. Once the GUID is determined, the attacker can navigate to the malicious file and execute it. In testing, an ASPX web shell was uploaded, allowing for remote-code execution in the context of a restricted IIS user."}, {"lang": "es", "value": "El producto de se\u00f1alizaci\u00f3n digital Tightrope Media Carousel versi\u00f3n 7.0.4.104, contiene una vulnerabilidad de carga de archivos arbitraria en la funcionalidad Manage Bulletins/Upload, que puede ser aprovechada para conseguir la ejecuci\u00f3n de c\u00f3digo remota. Un atacante autenticado puede cargar un archivo ZIP dise\u00f1ado (basado en una copia de seguridad exportada de \"Bulletins\" existentes) que contiene un archivo malicioso. Cuando es cargada, el sistema solo comprueba la presencia de los archivos necesarios dentro del ZIP y, siempre que el archivo malicioso tenga un nombre apropiado, extraer\u00e1 todos los archivos contenidos en un nuevo directorio en el sistema, nombrado con un GUID aleatorio. El atacante puede determinar este GUID mediante la previsualizaci\u00f3n de una imagen del Bolet\u00edn cargado dentro de la interfaz de usuario web. Una vez que el GUID es determinado, el atacante puede navegar en el archivo malicioso y ejecutarlo. En las pruebas, un shell web ASPX fue cargado, lo que permite la ejecuci\u00f3n de c\u00f3digo remota en el contexto de un usuario IIS restringido."}], "lastModified": "2019-11-05T18:01:50.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:trms:carousel_digital_signage:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F395E7E9-1DEB-4F95-B773-BFC89E9B7341", "versionEndIncluding": "7.0.4.104"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}