← Advisories

Cayin Signage Media Player 3.0 Root Remote Command Injection

High
Advisory ID
ZSL-2020-5569
Release Date
04 June 2020
Vendor
CAYIN Technology Co., Ltd. - https://www.cayintech.com
Affected Version
SMP-8000QD v3.0, SMP-8000 v3.0, SMP-6000 v3.0 Build 19025, SMP-6000 v1.0 Build 14246, SMP-6000 v1.0 Build 14199, SMP-6000 v1.0 Build 14167, SMP-6000 v1.0 Build 14097, SMP-6000 v1.0 Build 14090, SMP-6000 v1.0 Build 14069, SMP-6000 v1.0 Build 14062, SMP-4000 v1.0 Build 14098, SMP-4000 v1.0 Build 14092, SMP-4000 v1.0 Build 14087, SMP-2310 v3.0, SMP-2300 v3.0 Build 19316, SMP-2210 v3.0 Build 19025, SMP-2200 v3.0 Build 19029, SMP-2200 v3.0 Build 19025, SMP-2100 v10.0 Build 16228, SMP-2100 v3.0, SMP-2000 v1.0 Build 14167, SMP-2000 v1.0 Build 14087, SMP-1000 v1.0 Build 14099, SMP-PROPLUS v1.5 Build 10081, SMP-WEBPLUS v6.5 Build 11126, SMP-WEB4 v2.0 Build 13073, SMP-WEB4 v2.0 Build 11175, SMP-WEB4 v1.5 Build 11476, SMP-WEB4 v1.5 Build 11126, SMP-WEB4 v1.0 Build 10301, SMP-300 v1.0 Build 14177, SMP-200 v1.0 Build 13080, SMP-200 v1.0 Build 12331, SMP-PRO4 v1.0, SMP-NEO2 v1.0, SMP-NEO v1.0
CVE
CVE-2020-36910
Tested On
CAYIN Technology KT-Linux v0.99, Apache/1.3.42 (Unix), Apache/1.3.41 (Unix), PHP/5.2.5, Linux 2.6.37
Summary

CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work.

Description

CAYIN SMP-xxxx suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP GET parameter in system.cgi and wizard_system.cgi pages.

Proof of Concept
cayin_smp.pyTXT
Disclosure Timeline
15.05.2020Vulnerability discovered.
23.05.2020Vendor contacted.
25.05.2020Vendor responds asking more details.
25.05.2020Sent details to the vendor.
04.06.2020No response from the vendor.
04.06.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/48557
[2]https://packetstormsecurity.com/files/157942
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/182924
[4]https://cxsecurity.com/issue/WLB-2020060049
[5]https://www.cve.org/CVERecord?id=CVE-2020-36910
Changelog
04.06.2020Initial release
05.06.2020Added reference [1], [2] and [3]
22.06.2020Added reference [4]
24.03.2026Added reference [5]