Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection
Title: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection
Advisory ID: ZSL-2021-5687
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 10.10.2021
2.0.5.3356-184
BusyBox v1.15.3
[23.09.2021] Vendor contacted.
[09.10.2021] No response from the vendor.
[10.10.2021] Public security advisory released.
[2] https://www.exploit-db.com/exploits/50408
[3] https://liquidworm.blogspot.com/2021/10/sec-haiku-sec.html
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/211079
[5] https://packetstormsecurity.com/files/164467
[13.10.2021] - Added reference [2], [3], [4] and [5]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2021-5687
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 10.10.2021
Summary
CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications.Description
The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.Vendor
Cypress Solutions Inc. - https://www.cypress.bc.caAffected Version
2.7.1.56592.0.5.3356-184
Tested On
GNU/Linux 2.6.32.25 (arm4tl)BusyBox v1.15.3
Vendor Status
[21.09.2021] Vulnerability discovered.[23.09.2021] Vendor contacted.
[09.10.2021] No response from the vendor.
[10.10.2021] Public security advisory released.
PoC
cypress_rce.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php[2] https://www.exploit-db.com/exploits/50408
[3] https://liquidworm.blogspot.com/2021/10/sec-haiku-sec.html
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/211079
[5] https://packetstormsecurity.com/files/164467
Changelog
[10.10.2021] - Initial release[13.10.2021] - Added reference [2], [3], [4] and [5]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk