← Advisories

Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover

Critical

Advisory ID

ZSL-2020-5584

Release Date

21 August 2020

Vendor

EIBIZ Co.,Ltd. - http://www.eibiz.co.th

Affected Version

<=3.8.0

CVE

N/A

Tested On

Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, Apache Flex, Apache Tomcat/6.0.14, Apache-Coyote/1.1, BlazeDS Application

Summary

EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time.

Description

The application suffers from an unauthenticated remote privilege escalation and account takeover vulnerability that can be triggered by directly calling the updateUser object (part of ActionScript object graphs), effectively elevating to an administrative role or taking over an existing account by modifying the settings.

Proof of Concept

imediasignage_privesc.pyTXT

Disclosure Timeline

26.07.2020Vulnerability discovered.

30.07.2020Vendor contacted.

20.08.2020No response from the vendor.

21.08.2020Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/48774

[2]https://packetstormsecurity.com/files/158942

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/187186

[4]https://cxsecurity.com/issue/WLB-2020080116

[5]https://research-labs.net/search/exploits/eibiz-i-media-server-digital-signage-380-privilege-escalation

Changelog

21.08.2020Initial release

19.09.2020Added reference [1], [2], [3], [4] and [5]