Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection
Vendor: Cypress Solutions Inc.
Product web page: https://www.cypress.bc.ca
Affected version: 2.7.1.5659
2.0.5.3356-184
Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.
The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site
office and SCADA communications.
Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection
vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user
through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd
upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to
the wget command in /usr/bin/cmdmain ELF binary.
================================================================================================
/www/cgi-bin/webif/ctm-config-upgrade.sh:
-----------------------------------------
136: if ! empty "$FORM_install_fw_url"; then
137: echo ""
138: echo " Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!