Title: Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover
Advisory ID: ZSL-2020-5584
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass
Risk: (5/5)
Release Date: 21.08.2020

Summary

EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time.

Description

The application suffers from an unauthenticated remote privilege escalation and account takeover vulnerability that can be triggered by directly calling the updateUser object (part of ActionScript object graphs), effectively elevating to an administrative role or taking over an existing account by modifying the settings.

Vendor

EIBIZ Co.,Ltd. - http://www.eibiz.co.th

Affected Version

<=3.8.0

Tested On

Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2
Apache Flex
Apache Tomcat/6.0.14
Apache-Coyote/1.1
BlazeDS Application

Vendor Status

[26.07.2020] Vulnerability discovered.
[30.07.2020] Vendor contacted.
[20.08.2020] No response from the vendor.
[21.08.2020] Public security advisory released.

PoC

imediasignage_privesc.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/48774
[2] https://packetstormsecurity.com/files/158942
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/187186
[4] https://cxsecurity.com/issue/WLB-2020080116
[5] https://research-labs.net/search/exploits/eibiz-i-media-server-digital-signage-380-privilege-escalation

Changelog

[21.08.2020] - Initial release
[19.09.2020] - Added reference [1], [2], [3], [4] and [5]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk