Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)

Title: Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
Advisory ID: ZSL-2020-5586
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 21.08.2020
Summary
EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time.
Description
The application suffers from unauthenticated privilege escalation and arbitrary user creation vulnerability that allows authentication bypass. Once serialized, an AMF encoded object graph may be used to persist and retrieve application state or allow two endpoints to communicate through the exchange of strongly typed data. These objects are received by the server without validation and authentication and gives the attacker the ability to create any user with any role and bypass the security control in place and modify presented data on the screen/billboard.
Vendor
EIBIZ Co.,Ltd. - http://www.eibiz.co.th
Affected Version
<=3.8.0
Tested On
Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2
Apache Flex
Apache Tomcat/6.0.14
Apache-Coyote/1.1
BlazeDS Application
Vendor Status
[26.07.2020] Vulnerability discovered.
[30.07.2020] Vendor contacted.
[20.08.2020] No response from the vendor.
[21.08.2020] Public security advisory released.
PoC
imediasignage_addadmin.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/48763
[2] https://packetstormsecurity.com/files/158944/Eibiz-i-Media-Server-Digital-Signage-3.8.0-Authentication-Bypass.html
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/187182
[4] https://cxsecurity.com/issue/WLB-2020080117
Changelog
[21.08.2020] - Initial release
[19.09.2020] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk