-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection #19425
Conversation
This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1. By injecting commands via the `fw_url` POST parameter in the `ctm-config-upgrade.sh` script, an attacker can execute arbitrary commands as the root user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @0x45dd, thank you so much for the module contribution!
I took a quick look at the code and left a couple quick comments although there's a couple things I've noticed about the PR itself that needs addressing first:
I think you may have accidentally included a couple extra files from your data/exploits/
directory. If you could remove those that would be appreciated.
I noticed you forked the metasploit-framework repository which is great but you've submitted a PR from your master branch - we'll need you to resubmit the module from a unique branch from your own fork.
The Linting tests are failing and there's no documentation file included with the module. I'll add some labels to this PR which will auto generate some responses and guide you through how to address those issues.
Thanks again for the PR and if you have any questions please don't hesitate to ask.
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When looking up this device I noticed:
The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
The ARM Cortex-A8 is a 32-bit processor core licensed by ARM Holdings implementing the ARMv7-A architecture.
The linux/x86/meterpreter/reverse_tcp
payload has an Arch
of ARCH_X86
.
In the module you've defined the only supported Arch
to be ARCH_CMD
so I don't think this would run as is.
You'd likely want to keep ARCH_CMD
defined and find a CMD based payload this is supported by the device. Then if you also want to include a Linux Dropper
payload which would make use of the include Msf::Exploit::CmdStager
mixin you would want to define that target to use one of our ARM based meterpreter payloads.
OptString.new('RHOST', [true, 'The target address']), | ||
OptString.new('LHOST', [true, 'The local host for reverse shell']), | ||
OptString.new('LPORT', [true, 'The local port for reverse shell']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These datastore options don't need to be explicitly defined here. The payload the user selects will include them if necessary.
OptString.new('RHOST', [true, 'The target address']), | |
OptString.new('LHOST', [true, 'The local host for reverse shell']), | |
OptString.new('LPORT', [true, 'The local port for reverse shell']) |
|
||
register_options( | ||
[ | ||
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application', '/cgi-bin/webif/ctm-config-upgrade.sh']), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The TARGETURI
option is used in a slightly different way. If the user installs the application in a directory like: /cypress
and the vulnerable endpoint then becomes /cypress/cgi-bin/webif/ctm-config-upgrade.sh
- the TARGETURI
options is then used to account for the non-standard installtion directory and would be set to /cypress
.
In this case the default value can be set to /
and then vulernable endpoint can be moved down to the send_request_cgi
statement.
# Send the POST request to the target | ||
res = send_request_cgi({ | ||
'method' => 'POST', | ||
'uri' => normalize_uri(target_uri.path), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'uri' => normalize_uri(target_uri.path), | |
'uri' => normalize_uri(target_uri.path, '/cgi-bin/webif/ctm-config-upgrade.sh'), |
Thanks for your pull request! We require for all contributed code to come from a from a unique branch in your repository before it can be merged. Please create a new branch in your fork of framework and resubmit this from that branch. If you are using Git on the command line that may look like:
This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed. Please do resubmit from a unique branch, we greatly value your contribution! 🎉 |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Hey @0x45dd, I forgot that by adding the |
This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1.
By injecting commands via the
fw_url
POST parameter in thectm-config-upgrade.sh
script, an attacker can execute arbitrary commands as the root user.