Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

Title: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection
Advisory ID: ZSL-2021-5687
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 10.10.2021
Summary
CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications.
Description
The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.
Vendor
Cypress Solutions Inc. - https://www.cypress.bc.ca
Affected Version
2.7.1.5659
2.0.5.3356-184
Tested On
GNU/Linux 2.6.32.25 (arm4tl)
BusyBox v1.15.3
Vendor Status
[21.09.2021] Vulnerability discovered.
[23.09.2021] Vendor contacted.
[09.10.2021] No response from the vendor.
[10.10.2021] Public security advisory released.
PoC
cypress_rce.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php
[2] https://www.exploit-db.com/exploits/50408
[3] https://liquidworm.blogspot.com/2021/10/sec-haiku-sec.html
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/211079
[5] https://packetstormsecurity.com/files/164467
Changelog
[10.10.2021] - Initial release
[13.10.2021] - Added reference [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk