ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution
Title: ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution
Advisory ID: ZSL-2020-5602
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 18.10.2020
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823
ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1
[16.08.2020] Vendor contacted.
[17.10.2020] No response from the vendor.
[18.10.2020] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2020100116
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/190033
[4] https://www.exploit-db.com/exploits/48952
[20.10.2020] - Added reference [1] and [2]
[26.10.2020] - Added reference [3] and [4]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5602
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 18.10.2020
Summary
F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.Description
The ReQuest ARQ F3 web server suffers from an unauthenticated remote code execution vulnerability. Abusing the hidden ReQuest Internal Utilities page (/tools) from the services provided, an attacker can exploit the Quick File Uploader (/tools/upload.html) page and upload PHP executable files that results in remote code execution as the web server user.Vendor
ReQuest Serious Play LLC - http://www.request.comAffected Version
7.0.3.4968 (Pro)7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823
Tested On
ReQuest Serious Play® OS v7.0.1ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1
Vendor Status
[01.08.2020] Vulnerability discovered.[16.08.2020] Vendor contacted.
[17.10.2020] No response from the vendor.
[18.10.2020] Public security advisory released.
PoC
request_rce.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/159607/[2] https://cxsecurity.com/issue/WLB-2020100116
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/190033
[4] https://www.exploit-db.com/exploits/48952
Changelog
[18.10.2020] - Initial release[20.10.2020] - Added reference [1] and [2]
[26.10.2020] - Added reference [3] and [4]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk