[TimeTools] - SR / SC Series Network Time Protocol Server - RCE - (CVE-2020-8963

julio 16, 2023

[TimeTools] - SR / SC Series Network Time Protocol Server - RCE - (CVE-2020-8963 | CVE-2020-8964)

According to the vendor's page:

https://timetoolsltd.com/products/network-time-server-appliances/gps-ntp-server-appliance/

SR Series GPS \ LF Radio NTP Time Servers

Synchronize your network with microsecond precision using Network Time Protocol (NTP \ SNTP).

Accurately synchronize Windows, Linux, Unix, Servers and Workstations, Time Displays, CCTV systems, DVR’s, telephone systems, switches, routers and more!

GPS, MSF and DCF-77 reference clock options for Stratum 1 operation. Peering and Stratum 2 operation via NTP servers.

-----------------------------------------------------------------------------------------------------------------------

Downloading and analyzing the firmware of the device, I found that the cookie is hardcoded as a backdoor in the t3.cgi binary and obviously this allows you to log into any devices that are exposed on the internet.

Taking advantage of the hardcoded cookie, we send the t3axs coockie by GET as follows and enter any of the affected devices:

[https://x.x.x.x/t3.cgi?t3axs=TiMEtOOlsj7G3xMm52wB]

Well, that was the first vulnerability, and the one that would facilitate the scenario for the rest.

Continuing with the analysis, I also find an OS command Injection, which together with the hardcoded cookie makes it an "unauthenticated remote OS command Injection", which allows you to take control directly of any of the affected devices, they could execute commands such as ROOT

In Servers SR and SC series

The application expects two parameters, the first one is a valid cookie (t3axs) and the second the "srmodel", which ends up passing as a parameter to "system()" so we can inject our code there.

The "rtime" parameter ends in the function system() as a parameter, which allows us to inject our code into that parameter

Running "ls" command in settime function

checking "/etc/shadow", so root is the user who is rooning those commands

Factorymodel function

In server T100/T300/T550 series, exactly the same happens as in the firmware of the indoor devices.

The only difference with the previous case is that the output is not reflected in the response of the web server, but if we redirect it to the path "/home/root/www/output.txt" we can see the response of each command.

To complete a reverse shell

Affected Devices:

SR9850
SR9750
SC9705
SR9210
SC9205
SR7110
SC7105
T100
T300
T550

CVE:

CVE-2020-8963
CVE-2020-8964

By: @linuxmonr4

Buscar este blog

Cacharros in the wild

[TimeTools] - SR / SC Series Network Time Protocol Server - RCE - (CVE-2020-8963 | CVE-2020-8964)

Comentarios

Publicar un comentario

Entradas populares

[EVERTZ] - Path Transversal && Arbitrary File Upload = SHELL [CVE-2020-22159 ]

[ITERIS] - Vantage Velocity Field Unit - Os Code Injection - (CVE-2020-9020)