Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

基本字段

漏洞编号:
SSV-98166
披露/发现时间:
未知
提交时间:
2020-03-09
漏洞等级:
漏洞类别:
目录穿越
影响组件:
Symmetricom SyncServer
漏洞作者:
未知
提交者:
Knownsec

来源

漏洞详情

贡献者 共获得  0KB

Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

A little about the teams I was working on:

The SyncServer® S250 Precision GPS. Network Time Server synchronizes clocks on servers for large or expanding networks and for the ever-demanding.

The SyncServer® S300™ is a high performance, enhanced security enterprise class GPS Network Time Server. It sets standards for security, accuracy, reliability, and redundancy in network time servers.

Well summarizing, these teams are NTP servers, that is, servers for the synchronization of TIME, something very critical for organizations, if there is a problem with the time of your servers there may be consequences on databases, logs or other services, for That is the importance that these servers are better protected.

As always, checking on the internet, to see what I find, I found this interesting device. Lately I have become a fan of NTP servers :)

The SyncServer S100/S200/S250/S300/S350 devices, in their WEB application, do not properly disinfect user input, so it is possible to manipulate some parameters, such as "FileName" in some functions of the application, such as kernel display, authentication, among others.

Well, it started with the "logs" section exploiting the vulnerability in the function shown in the " syslog "

It is IMPORTANT to MENTION that this vulnerability is possible to exploit it WITHOUT BEING AUTHENTICATED

SYSLOG Function:

I capture the request, and I find an interesting error. I capture the request, and I find an interesting error, where it is clearly shown what the application is doing behind, and thanks to this error we know how to place our payload

So we reformulate the payload and forward it so that it shows us the file /etc/passwd



AUTH.LOG Function:

DAEMON.LOG Function:

KERN.LOG Function:
**


**

**






**MESSAGES Function:

**


















**Affected Versions:

  • SyncServer S100 - **2.90.70.3 Build 2.90.70.3 **
  • **SyncServer S200 - 1. 30**
  • SyncServer S250 - 1.25
  • SyncServer S300 - **2.65.0 Build 2.65.0 **
  • SyncServer S350 - 2.80.1 Build 2.80.1

|
CVE-2020-9029
CVE-2020-9030
CVE-2020-9031
CVE-2020-9032
CVE-2020-9033
---|---
By: @Linuxmonr4 **





**

共 0  兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

人气 9615
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负