cbcvebase.
CVE-2019-3929
published 2019-04-30

CVE-2019-3929: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
98.95%
99.9th percentile
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

Affected

12 ranges
VendorProductVersion rangeFixed in
barcowepresent_wipg-1000p_firmware
barcowepresent_wipg-1600w_firmware< 2.4.1.192.4.1.19
blackboxhd_wireless_presentation_system_firmware
crestronam-100_firmware
crestronam-101_firmware
extronsharelink_200_firmware
extronsharelink_250_firmware
infocusliteshow3_firmware
infocusliteshow4_firmware
optomawps-pro_firmware
sharppn-l703wa_firmware
teqavitwips710_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/file_transfer.cgi
commandfile_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami
port1271
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; startswith; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:4; metadata:attack_target IoT, created_at 2019_06_11, cve CVE_2019_3929, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; startswith; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:4; metadata:attack_target IoT, created_at 2019_06_11, cve CVE_2019_3929, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
&dir=|27|Pa_Note
  • Exploit sends an HTTP POST to /cgi-bin/file_transfer.cgi with POST body starting with 'file_transfer=' and a 'dir' parameter containing a single-quote-wrapped shell command; semicolons are encoded as 'Pa_Note', plus signs as 'Pa_Add', and ampersands as 'Pa_Amp'.
  • The bad-character substitution scheme used in payloads replaces ';' with 'Pa_Note', '+' with 'Pa_Add', and '&' with 'Pa_Amp' — hunt for these strings in HTTP POST bodies to /cgi-bin/file_transfer.cgi.
  • A successful check/probe returns the string 'root' in the HTTP 200 response body, indicating command execution as root.
  • Post-exploitation telnetd backdoor is spawned on TCP port 1271 with /bin/sh as the login shell; monitor for unexpected telnetd processes and inbound connections to port 1271 on IoT/presentation devices.
  • The Metasploit module defaults to SSL (HTTPS) on port 443 with an ARMLE meterpreter reverse_tcp payload, and uses printf or wget CmdStager flavors with a linemax of 128 bytes for the Linux Dropper target.
  • The exploit is unauthenticated — no session cookie or credential is required. Any HTTP POST to /cgi-bin/file_transfer.cgi from an external IP should be treated as suspicious on affected devices.
  • ·The Metasploit module's Unix In-Memory target requires the 'telnetd' command to be available on the target; if telnetd is absent, only the Linux Dropper (ARMLE) target is viable.
  • ·The Linux Dropper target is architecture-specific (ARMLE); the default CmdStager flavor is 'printf' but 'wget' is also supported, with a linemax of 128 bytes.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.