[Symmetricom] SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

julio 16, 2023

[Symmetricom] SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

A little about the teams I was working on:

The SyncServer® S250 Precision GPS. Network Time Server synchronizes clocks on servers for large or expanding networks and for the ever-demanding.

The SyncServer® S300™ is a high performance, enhanced security enterprise class GPS Network Time Server. It sets standards for security, accuracy, reliability, and redundancy in network time servers.

Well summarizing, these teams are NTP servers, that is, servers for the synchronization of TIME, something very critical for organizations, if there is a problem with the time of your servers there may be consequences on databases, logs or other services, for That is the importance that these servers are better protected.

As always, checking on the internet, to see what I find, I found this interesting device. Lately I have become a fan of NTP servers :)

The SyncServer S100/S200/S250/S300/S350 devices, in their WEB application, do not properly disinfect user input, so it is possible to manipulate some parameters, such as "FileName" in some functions of the application, such as kernel display, authentication, among others.

Well, it started with the "logs" section exploiting the vulnerability in the function shown in the "syslog"

It is IMPORTANT to MENTION that this vulnerability is possible to exploit it WITHOUT BEING AUTHENTICATED

SYSLOG Function:

I capture the request, and I find an interesting error. I capture the request, and I find an interesting error, where it is clearly shown what the application is doing behind, and thanks to this error we know how to place our payload