Monday, January 27, 2020

[Symmetricom] SyncServer S100/S200/S250/S300/S350 - User Creation/Modification/Deletion - Not authenticated - (CVE-2020-9034)

Lately I have been researching a lot about NTP servers and other rack equipment that you commonly see in data centers. In a way, I have been thinking about how critical these devices are generally and how little or no security they have.

the SyncServer S100/S200/S250/S300/S350 devices in their WEB application, is not properly validating sessions in any of its functions ["Broken Access Authentication"], which allows an unauthenticated remote attacker to access critical functions of the application, such as the creation, modification or elimination of users.

[Symmetricom] SyncServer S100/S200/S250/S300/S350 - Stored XSS - Not authenticated - (CVE-2020-9028)

SyncServer S100/S200/S250/S300/S350 devices in their WEB application, are not properly sanitizing the entry of user, so it presents a stored XSS vulnerability, specifically in the "User Creation, Deletion and Password Maintenance" function, which makes it possible for an attacker to inject Javascript code into the "newUserName" parameter when creating a new user.

This attack can be made unauthenticated due to the failure mentioned HERE

[Symmetricom] SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

A little about the teams I was working on:

The SyncServer® S250 Precision GPS. Network Time Server synchronizes clocks on servers for large or expanding networks and for the ever-demanding.

The SyncServer® S300™ is a high performance, enhanced security enterprise class GPS Network Time Server. It sets standards for security, accuracy, reliability, and redundancy in network time servers.

[ELTEX] - Devices NTP-RG-1402G & NTP-2 - OS command Injection - (CVE-2020-9026/CVE-2020-9027)

Devices NTP-RG-1402G  & NTP-2 presents a vulnerability of injecting OS commands into the input PING and TRACE of the resource "ping.cmd", which allows an attacker to execute commands in the operating system and gain access to the server via remote shell.


Well, reviewing the application, I found an interesting function called "Ping", once we click on it, we have two options or commands, PING and TRACE. So I try the old reliable by injecting ";" and "|" followed by an operating system command, in this case "; ls" in both the PING command and the TRACE command, and it turns out that it shows me the list of files in both cases.

Once the command injection has been confirmed I try to read the /etc/passwd 

Perfect, now how about loading a shell? .. well, for this I use wget, I assign permissions to the binary and run

 We get shell


With the NTP-2 device, coincidentally these "PING and TRACE" functions, so I repeat procedure and inject a "ls" to test and both functions are vulnerable, so I repeat the procedure to obtain reverse shell.

Downloading, executing and obtaining the reverse shell

Affected Devices: 
  • NTP-RG-1402G - Hardware Version 1v10 - Software Version -
  • NTP-2 - Hardware Version 1v5:B+10 - Software Version -

By: @Linuxmonr4