Eltex Devices NTP-RG-1402G & NTP-2 - OS command Injection - (CVE-2020-9026/CVE-2020-9027)

### - Eltex Devices NTP-RG-1402G & NTP-2 - OS command Injection - (CVE-2020-9026/CVE-2020-9027) [](https://images.seebug.org/1583428958720-w331s) **_Devices NTP-RG-1402G & NTP-2 _**presents a vulnerability of injecting OS commands into the input _**PING**_ and **_TRACE_** of the resource " _ **ping.cmd**_ ", which allows an attacker to execute commands in the operating system and gain access to the server via remote shell. **_ _****_ _****_NTP-RG-1402G_** **_ _**Well, reviewing the application, I found an interesting function called " **Ping** ", once we click on it, we have two options or commands, **PING** and **TRACE**. So I try the old reliable by injecting _";"_ and _"|"_ followed by an operating system command, in this case _**"; ls"**_ in both the **PING** command and the **TRACE** command, and it turns out that it shows me the list of files in both cases. [](https://images.seebug.org/1583428967469-w331s) [](https://images.seebug.org/1583428974013-w331s) Once the command injection has been confirmed I try to read the _/etc/passwd _ **_ _** [](https://1.bp.blogspot.com/-UGPjzOcCG6Y/Xi740se1mUI/AAAAAAAAAlc/FmEbfuSWbQgZHHH1OrQ0DEXCJV- LDyCbgCLcBGAsYHQ/s640/ping_passwd.png) [](https://images.seebug.org/1583429045079-w331s) Perfect, now how about loading a shell? .. well, for this I use _**wget**_ , I assign permissions to the binary and run [](https://images.seebug.org/1583429049429-w331s) [](https://1.bp.blogspot.com/-2_Di6YW3-As/Xi78ycaS2AI/AAAAAAAAAmY/UOAFRA_yxb4Fqf- TQMveMNey2_4PPqZgQCLcBGAsYHQ/s640/reverse_exe_list.png) We get shell [](https://images.seebug.org/1583429121015-w331s) **_NTP-2 _** **_ _** With the **NTP-2** device, coincidentally these " **PING** and **TRACE** " functions, so I repeat procedure and inject a " **ls** " to test and both functions are vulnerable, so I repeat the procedure to obtain reverse shell. [](https://images.seebug.org/1583429128448-w331s) [](https://images.seebug.org/1583429133161-w331s) Downloading, executing and obtaining the reverse shell [](https://images.seebug.org/1583429140620-w331s) [](https://images.seebug.org/1583429145801-w331s) ** Affected Devices: ** - **_NTP-RG-1402G - Hardware Version 1v10 \- Software Version - _****3.25.3.32** - **_**_NTP-2 - **_Hardware _** Version _**_****1v5:B+10 ****_\- Software Version - _******3.25.1.1226**** CVE-2020-9026 CVE-2020-9027 By: @Linuxmonr4 ** ** ** ** ** **