# Exploit Title: AWIND WiPG 1000 / Crestron AM-100
# Date: 06-12-2014
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# Vendor Homepage: http://www.wepresentwifi.com/wipg1000.html - http://www.crestron.com/products/model/AM-100
# Software Link: http://www.wepresentwifi.com/downloads.html
# Version: ~<1.0.3.7 through ?, The mitigation was to remove the login page. The authentication hash can still be generated
# Tested on: wipg-1000 and AM-100
# CVE : N/A
 

Presentation PDF 

Presentation Key.zip

 

Timeline:


* 06-12-2014: Discovered  

* 07-28-2014: Vendor Notified  

* 10-10-2014: Vendor changes static password "mistral660411" and changes telnet to dropbear ssh (now we don't have to upload dropbear to have ssh) 


Various other issues were reported including auth bypass, password resets, etc.

Auth Bypass PoC

Menu