Cypress CTM-200 2.7.1 Authenticated RCE via OS Command Injection (ZSL-2021-5687)

Title: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection Advisory ID: ZSL-2021-5687 Type: Local/Remote Impact: System Access, DoS Risk: (4/5) Release Date: 10.10.2021 Summary: CTM-200 is an industrial cellular wireless gateway designed for fixed and mobile applications. It runs on a Linux-based platform powered by an ARM Cortex-A8 800 MHz superscalar processor. Its onboard standard features make the CTM-200 ideal for mobile fleet applications or fixed-site office and SCADA communications. Description: The CTM-200 wireless gateway is affected by an authenticated semi-blind OS command injection vulnerability. This flaw allows an attacker to inject and execute arbitrary shell commands as the root user via the 'ctm-config-upgrade.sh' script. The vulnerability arises from the 'fw_url' POST parameter used in the 'upgradefw' command, which is passed as an argument to the function (a pointer to ), and subsequently to the function that invokes the command in the ELF binary. Vendor: Cypress Solutions Inc. - Affected Version: 2.7.1.5659, 2.0.5.3356-184 Tested On: GNU/Linux 2.6.32.25 (arm4tl), BusyBox v1.15.3 Vendor Status: [21.09.2021] Vulnerability discovered. [23.09.2021] Vendor contacted. [09.10.2021] No response from the vendor. [10.10.2021] Public security advisory released. PoC: cypress_rce.txt Credits: Vulnerability discovered by Gjoko Krstic - References: [1] [2] [3] [4] [5] Changelog: [10.10.2021] - Initial release, [13.10.2021] - Added references [2], [3], [4], and [5] Contact: - Zero Science Lab - Web:

Goal Reached Thanks to every supporter — we hit 100%!

Cypress CTM-200 2.7.1 Authenticated RCE via OS Command Injection (ZSL-2021-5687)