[Meinberg] LANTIME M1000 - RCE - (CVE-2020-7240)

 

LANTIME M1000 is an NTP server of the Meinberg brand, and through one of the functions of the web application, it is possible to execute commands directly in the operating system.

The default credentials of this devices are root: timeserver

Although, through import backup we can change configurations, from the same web application, we can execute commands directly in the operating system, taking advantage of the fact that we can edit a startup script of the network "/config/netconf.cmd" and each time it It is edited, it is automatically executed, so we do not need to restart the device to execute our commands

Tested devices: M1000 and M300

Step by step:

First, we need to authenticate in the application and once we have access we go to the following menu:

Network => Extended Network Configuration

The device which I tested, does not have an internet output, so it is necessary to execute OS commands and save the output in a file.

Enter the commands you want to execute in the operating system and save the output to a file, in this case, I saved it in the /etc/hosts

To see the result it is necessary to enter the following menu:

System => Diagnostic => Download Diagnostic File

There we download the configurations a series of files, and if we look in the path 

/startup/network/etc/hosts,  we will see the output of our command inside the file.

 

In M300 Version

 

Note: In devices M1000 you can create bind shell usgin native netcat command

 CVE-2020-7240

By: @linuxmonr4