Monday, January 27, 2020

[Symmetricom] SyncServer S100/S200/S250/S300/S350 - User Creation/Modification/Deletion - Not authenticated - (CVE-2020-9034)





Lately I have been researching a lot about NTP servers and other rack equipment that you commonly see in data centers. In a way, I have been thinking about how critical these devices are generally and how little or no security they have.

the SyncServer S100/S200/S250/S300/S350 devices in their WEB application, is not properly validating sessions in any of its functions ["Broken Access Authentication"], which allows an unauthenticated remote attacker to access critical functions of the application, such as the creation, modification or elimination of users.




We go to the ADMIN Menu => USERS => NEW USER. Once there, create any user and capture the request.

Now we will create a new user without being authenticated in the application

 To verify that the new user exists, I will use the cross directory I found - here is the description-

Now we test it on an S300 models 




In addition, we can use the same request to change the account of an existing user and make an "ACCOUNT TAKE OVER"





Affected Versions:

  • SyncServer S100 - 2.90.70.3 Build 2.90.70.3 
  • SyncServer S200 - 1.30
  • SyncServer S250 - 1.25
  • SyncServer S300 - 2.65.0 Build 2.65.0 
  • SyncServer S350 - 2.80.1 Build 2.80.1

CVE-2020-9034
By: @Linuxmonr4

Monr4

Autor

0 comentarios:

Post a Comment

 
biz.