CVE-2020-7357

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the ‘NTP_Server_IP’ HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.

Recent assessments:

h00die at June 17, 2020 4:05pm UTC reported:

Cayin CMS systems have an AUTHENTICATED RCE in the NTP configuration. The system didn’t install correctly on Ubuntu 20.04 at the time the exploit was released, and the company recommends Ubuntu 16.04, unknown if 18.04 will work. Grants root on Ubuntu.

Requires creds, default for CMS-SE was administrator:admin, but the original write-up mentions webadmin:bctvadmin.

CMS system can come on hardware devices. CMS-SE the exploitable file is system_service.cgi however the original vuln write-up mentions system.cgi, so it looks like there is a variance between the hardware devices and the Ubuntu installer. YMMV.

After authentication, the exploit is against the NTP server IP field. During testing of CMS-SE the Update button/functionality was used. Clicking save did not have an immediate effect, and Test worked, but executed 3 times. If your payload is small, you could use Test, however with a larger payload like meterp, it was determined that the payload was writing 3 times in each stage… So if the payload chunks were A, B, C, the payload ended up AAABBBCCC.
Due to character limit, any payload that isn’t small will need to go through a cmdstager type chunking. The field can take ~200 characters, believed to be about ~230 but 200 was used in the exploit to allow for padding.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4