← Advisories

ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution

Critical
Advisory ID
ZSL-2020-5602
Release Date
18 October 2020
Vendor
ReQuest Serious Play LLC - http://www.request.com
Affected Version
7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, 2.0.1.823
CVE
CVE-2020-36877
Tested On
ReQuest Serious Play® OS v7.0.1, ReQuest Serious Play® OS v6.0.0, Debian GNU/Linux 5.0, Linux 3.2.0-4-686-pae, Linux 2.6.36-request+lenny.5, Apache/2.2.22, Apache/2.2.9, PHP/5.4.45, PHP/5.2.6-1
Summary

F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.

Description

The ReQuest ARQ F3 web server suffers from an unauthenticated remote code execution vulnerability. Abusing the hidden ReQuest Internal Utilities page (/tools) from the services provided, an attacker can exploit the Quick File Uploader (/tools/upload.html) page and upload PHP executable files that results in remote code execution as the web server user.

Proof of Concept
request_rce.pyTXT
Disclosure Timeline
01.08.2020Vulnerability discovered.
16.08.2020Vendor contacted.
17.10.2020No response from the vendor.
18.10.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/159607/
[2]https://cxsecurity.com/issue/WLB-2020100116
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/190033
[4]https://www.exploit-db.com/exploits/48952
[5]https://www.vulncheck.com/advisories/request-serious-play-f-media-server-unauthenticated-rce
[6]https://www.cve.org/CVERecord?id=CVE-2020-36877
Changelog
18.10.2020Initial release
20.10.2020Added reference [1] and [2]
26.10.2020Added reference [3] and [4]
08.12.2025Added reference [5] and [6]