CVE-2019-3930
Description
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to a stack buffer overflow in libAwgCgi.so's PARSERtoCHAR function. A remote, unauthenticated attacker can use this vulnerability to execute arbitrary code as root via a crafted request to the return.cgi endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple presentation devices share a stack buffer overflow in libAwgCgi.so's PARSERtoCHAR function, allowing unauthenticated remote code execution as root via return.cgi.
Vulnerability
A stack buffer overflow exists in the PARSERtoCHAR function of libAwgCgi.so across multiple OEM presentation devices. Affected devices include Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 firmware 2.0.0.7 [1].
Exploitation
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the return.cgi endpoint. The attacker does not require any prior authentication, network position is remote, and no user interaction is needed. The overflow is triggered when parsing input into the PARSERtoCHAR function [1].
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code with root privileges on the affected device. This compromises the confidentiality, integrity, and availability of the device and potentially the network it is connected to. The attacker gains full control of the device [1].
Mitigation
Barco wePresent WiPG-1600W firmware 2.4.1.19 contains a fix. For other affected devices, users should contact the respective vendor for an official patch or firmware update. As of the publication date (2019-04-30), not all vendors had released fixes; no workaround is described in the reference [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: = 2.3.0.10
- Crestron/Crestron AirMedia, Barco WePresent, Extron ShareLink, Teq AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, InFocus LiteShow3, and InFocus LiteShow4.v5Range: Crestron AM-100 firmware 1.6.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in the PARSERtoCHAR function allows input exceeding 0x100 bytes to overflow a fixed-size stack buffer."
Attack vector
A remote, unauthenticated attacker sends a crafted POST request to a CGI endpoint such as `file_transfer.cgi` with a `Content-Type: application/x-www-form-urlencoded` header. The payload includes a `dir` parameter whose value exceeds 0x100 bytes, which overflows a stack buffer in the `PARSERtoCHAR` function [ref_id=1]. The attacker can control the overflow data to overwrite the return address and achieve arbitrary code execution as root [ref_id=1].
Affected code
The vulnerability resides in the `PARSERtoCHAR` function within `libAwCgi.so`. This function is called by multiple HTTP CGI scripts, including `file_transfer.cgi` (unauthenticated) and `return.cgi` (authenticated) [ref_id=1].
What the fix does
The advisory does not include a patch diff or describe a specific fix. The recommended remediation is to update the affected devices to the latest firmware versions provided by the respective vendors, as listed in the Tenable research advisory [ref_id=1]. No further technical details about the patch are available in the supplied bundle.
Preconditions
- configThe target device must be running one of the affected firmware versions listed in the advisory.
- networkThe attacker must have network access to the device's HTTP interface (typically port 80 or 443).
- authNo authentication is required when targeting the file_transfer.cgi endpoint.
- inputThe attacker must send a POST request with a dir parameter longer than 0x100 bytes.
Reproduction
The advisory provides the following proof of concept: `curl -v --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaPa_NoteaaaaaaaaaaaaaaPa_Noteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi` [ref_id=1]. This triggers a segmentation fault with the program counter overwritten to `0x61616160` (the hex encoding of "aaaa") [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2019-20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.