← Advisories

Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

High
Advisory ID
ZSL-2021-5687
Release Date
10 October 2021
Vendor
Cypress Solutions Inc. - https://www.cypress.bc.ca
Affected Version
2.7.1.5659, 2.0.5.3356-184
CVE
CVE-2021-47745
Tested On
GNU/Linux 2.6.32.25 (arm4tl), BusyBox v1.15.3
Summary

CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications.

Description

The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.

Proof of Concept
cypress_rce.txtTXT
Disclosure Timeline
21.09.2021Vulnerability discovered.
23.09.2021Vendor contacted.
09.10.2021No response from the vendor.
10.10.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2018-5479
[2]https://www.exploit-db.com/exploits/50408
[3]https://liquidworm.blogspot.com/2021/10/sec-haiku-sec.html
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/211079
[5]https://packetstormsecurity.com/files/164467
[6]https://www.cve.org/CVERecord?id=CVE-2021-47745
Changelog
10.10.2021Initial release
13.10.2021Added reference [2], [3], [4] and [5]
23.03.2026Added reference [6]