We recently obtained a ASUS B1M projector[0] and have been exploring its capabilities when we discovered trivial to exploit vulnerabilities. The ASUS B1M features a small Wi-Fi adapter for a direct wireless connection to a notebook PC, or Android and iOS devices. The projector comes with an embedded MIPS computer running Linux that can be used for streaming your desktop or mobile device similar to miracast using a USB wifi adapter. We discovered that the web service used by the projector is prone to command injection vulnerabilities, buffer overflows and the usual security mishaps made in embedded devices. The thttpd 2.25b web server runs by default on 192.168.111.1 and is accessible when a client connects to the device in access point mode. It is possible to inject commands into the embedded webserver of the projector which of course is running with full “root” privileges. The response of the commands can be echo’d back to the user by manipulating parameters to a CGI script as...
We recently obtained a ASUS B1M projector[0] and have been exploring its capabilities when we discovered trivial to exploit vulnerabilities. The ASUS B1M features a small Wi-Fi adapter for a direct wireless connection to a notebook PC, or Android and iOS devices. The projector comes with an embedded MIPS computer running Linux that can be used for streaming your desktop or mobile device similar to miracast using a USB wifi adapter. We discovered that the web service used by the projector is prone to command injection vulnerabilities, buffer overflows and the usual security mishaps made in embedded devices. The thttpd 2.25b web server runs by default on 192.168.111.1 and is accessible when a client connects to the device in access point mode. It is possible to inject commands into the embedded webserver of the projector which of course is running with full “root” privileges. The response of the commands can be echo’d back to the user by manipulating parameters to a CGI script as seen below. - See more at: https://www.myhackerhouse.com/asus-b1m-projector-remote-root-0day/#sthash.EQry4NOF.dpuf ``` GET /cgi-bin/apply.cgi?ssid="%20"`CMD` HTTP/1.1 Host: 192.168.111.1 - See more at: https://www.myhackerhouse.com/asus-b1m-projector-remote-root-0day/#sthash.EQry4NOF.dpuf ``` When exploiting this vulnerability the projector may become unresponsive as the vulnerable CGI component attempts to reconfigure the WIFI and fails, no in-built tools like netcat or telnet are supplied however you can make use of all the OS built-in commands (busybox is available). Thankfully these projectors don’t have an Internet connection (yet) so an attacker would need to be physically close enough to access the device wifi, which is set by default to an SSID of “ASUS-B1MR” with the password of “11111111”. As the exploit allows for full root access (whose password is 000000) an attacker could modify executable files of installers on the projector used for sharing laptop screens (which of course require admin privileges on the laptop!). Once those executable files are modified it would be possible to infect Windows and Apple computers connecting to the projector with malware. An attacker just needs to modify the files in “/mnt/EZdisplay/” such as “EZ_USB_installer.exe” to infect unsuspecting users. An attacker could also potentially install their own OS onto the device or manipulate the platform for other nefarious purposes/persistence and there appears to be no supported way of installing a firmware update so it seems this vulnerability will exist for quite some time. It really goes to show how poor security is in many consumer devices, as these systems begin entering our homes and work places we must be demanding better security practices from vendors to ensure such vulnerabilities do not make it into the wild especially if they cannot be trivially patched. It is a worrying trend when a device as benign as a projector could be used to deliver malware and we are increasingly seeing more IoT devices (not less) being shipped with such flaws. The screen shot below shows command injection being performed on an ASUS B1M device using netcat. We have sent details of this vulnerability to ASUS for a response. - See more at: https://www.myhackerhouse.com/asus-b1m-projector-remote-root-0day/#sthash.EQry4NOF.dpuf 
