Title: ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution
Advisory ID: ZSL-2020-5602
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 18.10.2020

Summary

F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.

Description

The ReQuest ARQ F3 web server suffers from an unauthenticated remote code execution vulnerability. Abusing the hidden ReQuest Internal Utilities page (/tools) from the services provided, an attacker can exploit the Quick File Uploader (/tools/upload.html) page and upload PHP executable files that results in remote code execution as the web server user.

Vendor

ReQuest Serious Play LLC - http://www.request.com

Affected Version

7.0.3.4968 (Pro)
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823

Tested On

ReQuest Serious Play® OS v7.0.1
ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1

Vendor Status

[01.08.2020] Vulnerability discovered.
[16.08.2020] Vendor contacted.
[17.10.2020] No response from the vendor.
[18.10.2020] Public security advisory released.

PoC

request_rce.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/159607/
[2] https://cxsecurity.com/issue/WLB-2020100116
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/190033
[4] https://www.exploit-db.com/exploits/48952

Changelog

[18.10.2020] - Initial release
[20.10.2020] - Added reference [1] and [2]
[26.10.2020] - Added reference [3] and [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk