[EndRun Technologies] - Multiple Unautenticated RCE [ CVE-2023-38966 ]
EndRun Technologies is dedicated to the development and refinement of the technologies required to fulfill the demanding needs of the time and frequency community.
--------------------------------------------------------------------------------------------------------------------------
EndRun NTP servers present vulnerabilities that allow an unauthenticated attacker to execute arbitrary OS commands via shell metacharacters in the login_check.php and upgrade_linux.php functions.
Requirements:
- Not authenticated
- HTTPS
- Accessible from the internet
Affected Devices:
- Tempus LX CDMA Network Time Server
- Sonoma Network Time Server GPS-Synchronized
- RTM3205 Precision Timing Module
- Meridian II 2U Precision TimeBase
- Unison CDME NEtwork Time Server
Affected Components:
- login_check.php - Parameters [ user & pass ]
- upgrade_linux.php - Parameters [ user & pass ]
- webreboot.php - Parameters [ user & pass ]
login_check.php
The login_check.php resource receives the "user" and "pass" parameters, which does not sanitize and also passes them directly to the system() function in php to execute an "echo" of the variable, which allows by injecting shell metacharacters in addition to the operating system command that you want to execute.
So now we escape with '; and then we place the operating system command that we want to execute
Reverse shell
upgrade_linux.php
The upgrade_linux.php resource receives the "user" and "pass" parameters, which does not sanitize and also passes them directly to the shell_exec() function in php to execute an "echo" of the variable, which allows by injecting shell metacharacters in addition to the operating system command that you want to execute.
So now we escape with '; and then we place the operating system command that we want to execute. in this case, we can inject a reverse shell
webreboot.php
The webreboot.php resource receives the "user" and "pass" parameters, which does not sanitize and also passes them directly to the exec() function in php to execute an "echo" of the variable, which allows by injecting shell metacharacters in addition to the operating system command that you want to execute.
So now we escape with '; and then we place the operating system command that we want to execute. in this case, we can inject a reverse shell
By: @linuxmonr4
Comentarios
Publicar un comentario