Cayin Signage Media Player 3.0 Root Remote Command Injection
Title: Cayin Signage Media Player 3.0 Root Remote Command Injection
Advisory ID: ZSL-2020-5569
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2020
SMP-8000 v3.0
SMP-6000 v3.0 Build 19025
SMP-6000 v1.0 Build 14246
SMP-6000 v1.0 Build 14199
SMP-6000 v1.0 Build 14167
SMP-6000 v1.0 Build 14097
SMP-6000 v1.0 Build 14090
SMP-6000 v1.0 Build 14069
SMP-6000 v1.0 Build 14062
SMP-4000 v1.0 Build 14098
SMP-4000 v1.0 Build 14092
SMP-4000 v1.0 Build 14087
SMP-2310 v3.0
SMP-2300 v3.0 Build 19316
SMP-2210 v3.0 Build 19025
SMP-2200 v3.0 Build 19029
SMP-2200 v3.0 Build 19025
SMP-2100 v10.0 Build 16228
SMP-2100 v3.0
SMP-2000 v1.0 Build 14167
SMP-2000 v1.0 Build 14087
SMP-1000 v1.0 Build 14099
SMP-PROPLUS v1.5 Build 10081
SMP-WEBPLUS v6.5 Build 11126
SMP-WEB4 v2.0 Build 13073
SMP-WEB4 v2.0 Build 11175
SMP-WEB4 v1.5 Build 11476
SMP-WEB4 v1.5 Build 11126
SMP-WEB4 v1.0 Build 10301
SMP-300 v1.0 Build 14177
SMP-200 v1.0 Build 13080
SMP-200 v1.0 Build 12331
SMP-PRO4 v1.0
SMP-NEO2 v1.0
SMP-NEO v1.0
Apache/1.3.42 (Unix)
Apache/1.3.41 (Unix)
PHP/5.2.5
Linux 2.6.37
[23.05.2020] Vendor contacted.
[25.05.2020] Vendor responds asking more details.
[25.05.2020] Sent details to the vendor.
[04.06.2020] No response from the vendor.
[04.06.2020] Public security advisory released.
[2] https://packetstormsecurity.com/files/157942
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/182924
[4] https://cxsecurity.com/issue/WLB-2020060049
[05.06.2020] - Added reference [1], [2] and [3]
[22.06.2020] - Added reference [4]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5569
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2020
Summary
CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work.Description
CAYIN SMP-xxxx suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP GET parameter in system.cgi and wizard_system.cgi pages.Vendor
CAYIN Technology Co., Ltd. - https://www.cayintech.comAffected Version
SMP-8000QD v3.0SMP-8000 v3.0
SMP-6000 v3.0 Build 19025
SMP-6000 v1.0 Build 14246
SMP-6000 v1.0 Build 14199
SMP-6000 v1.0 Build 14167
SMP-6000 v1.0 Build 14097
SMP-6000 v1.0 Build 14090
SMP-6000 v1.0 Build 14069
SMP-6000 v1.0 Build 14062
SMP-4000 v1.0 Build 14098
SMP-4000 v1.0 Build 14092
SMP-4000 v1.0 Build 14087
SMP-2310 v3.0
SMP-2300 v3.0 Build 19316
SMP-2210 v3.0 Build 19025
SMP-2200 v3.0 Build 19029
SMP-2200 v3.0 Build 19025
SMP-2100 v10.0 Build 16228
SMP-2100 v3.0
SMP-2000 v1.0 Build 14167
SMP-2000 v1.0 Build 14087
SMP-1000 v1.0 Build 14099
SMP-PROPLUS v1.5 Build 10081
SMP-WEBPLUS v6.5 Build 11126
SMP-WEB4 v2.0 Build 13073
SMP-WEB4 v2.0 Build 11175
SMP-WEB4 v1.5 Build 11476
SMP-WEB4 v1.5 Build 11126
SMP-WEB4 v1.0 Build 10301
SMP-300 v1.0 Build 14177
SMP-200 v1.0 Build 13080
SMP-200 v1.0 Build 12331
SMP-PRO4 v1.0
SMP-NEO2 v1.0
SMP-NEO v1.0
Tested On
CAYIN Technology KT-Linux v0.99Apache/1.3.42 (Unix)
Apache/1.3.41 (Unix)
PHP/5.2.5
Linux 2.6.37
Vendor Status
[15.05.2020] Vulnerability discovered.[23.05.2020] Vendor contacted.
[25.05.2020] Vendor responds asking more details.
[25.05.2020] Sent details to the vendor.
[04.06.2020] No response from the vendor.
[04.06.2020] Public security advisory released.
PoC
cayin_smp.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/48557[2] https://packetstormsecurity.com/files/157942
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/182924
[4] https://cxsecurity.com/issue/WLB-2020060049
Changelog
[04.06.2020] - Initial release[05.06.2020] - Added reference [1], [2] and [3]
[22.06.2020] - Added reference [4]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk