Monday, February 10, 2020

[TimeTools] - SR / SC Series Network Time Protocol Server - RCE - (CVE-2020-8963 | CVE-2020-8964)



According to the vendor's page:


SR Series GPS \ LF Radio NTP Time Servers
Synchronize your network with microsecond precision using Network Time Protocol (NTP \ SNTP).

Accurately synchronize Windows, Linux, Unix, Servers and Workstations, Time Displays, CCTV systems, DVR’s, telephone systems, switches, routers and more!

GPS, MSF and DCF-77 reference clock options for Stratum 1 operation. Peering and Stratum 2 operation via NTP servers.
-----------------------------------------------------------------------------------------------------------------------

Downloading and analyzing the firmware of the device, I found that the cookie is hardcoded as a backdoor in the t3.cgi binary and obviously this allows you to log into any devices that are exposed on the internet.


Taking advantage of the hardcoded cookie, we send the t3axs coockie by GET as follows and enter any of the affected devices:

[https://x.x.x.x/t3.cgi?t3axs=TiMEtOOlsj7G3xMm52wB]




















Well, that was the first vulnerability, and the one that would facilitate the scenario for the rest.

Continuing with the analysis, I also find an OS command Injection, which together with the hardcoded cookie makes it an "unauthenticated remote OS command Injection", which allows you to take control directly of any of the affected devices, they could execute commands such as ROOT

In Servers SR and SC series

The application expects two parameters, the first one is a valid cookie (t3axs) and the second the "srmodel", which ends up passing as a parameter to "system()" so we can inject our code there.


The "rtime" parameter ends in the function system() as a parameter, which allows us to inject our code into that parameter


Running "ls" command in settime function


checking  "/etc/shadow", so root is the user who is rooning those commands


Factorymodel function


In server T100/T300/T550 series, exactly the same happens as in the firmware of the indoor devices. 



The only difference with the previous case is that the output is not reflected in the response of the web server, but if we redirect it to the path "/home/root/www/output.txt" we can see the response of each command.



To complete a reverse shell




Affected Devices:
  • SR9850
  • SR9750
  • SC9705
  • SR9210 
  • SC9205
  • SR7110 
  • SC7105
  • T100
  • T300
  • T550
CVE:
  • CVE-2020-8963
  • CVE-2020-8964
By: @linuxmonr4


:::Many thanks to Xploited for the support:::



Monr4

Autor

0 comentarios:

Post a Comment

 
biz.