# Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)
[](https://1.bp.blogspot.com/-VIvnMzc_OQA/Xi-
Q-
Pe5bpI/AAAAAAAAAn0/4Sn9vd3SfgEjLLqgeGAldLlMB5mRdN-0wCLcBGAsYHQ/s1600/Microsemi-
Symmetricom-SyncServer-S250-GPS-NTP-Server-Network-Time-Receiver-2.jpg)
A little about the teams I was working on:
The SyncServer® S250 Precision GPS. Network Time Server synchronizes clocks on
servers for large or expanding networks and for the ever-demanding.
The SyncServer® S300™ is a high performance, enhanced security enterprise
class GPS Network Time Server. It sets standards for security, accuracy,
reliability, and redundancy in network time servers.
[](https://1.bp.blogspot.com/-e2f42QQ2JDs/Xi-
R-lT7F4I/AAAAAAAAAn8/xTD2bIO-
bLwEXiDnzPpLVK4uRJjd7f9EgCLcBGAsYHQ/s1600/1-INDEX.png)
Well summarizing, these teams are NTP servers, that is, servers for the
synchronization of TIME, something very critical for organizations, if there
is a problem with the time of your servers there may be consequences on
databases, logs or other services, for That is the importance that these
servers are better protected.
As always, checking on the internet, to see what I find, I found this
interesting device. Lately I have become a fan of NTP servers :)
The SyncServer S100/S200/S250/S300/S350 devices, in their WEB application, do
not properly disinfect user input, so it is possible to manipulate some
parameters, such as "FileName" in some functions of the application, such as
kernel display, authentication, among others.
Well, it started with the "logs" section exploiting the vulnerability in the
function shown in the " **syslog** "
**It is IMPORTANT to MENTION that this vulnerability is possible to exploit it
WITHOUT BEING AUTHENTICATED**
**SYSLOG Function:**
[](https://1.bp.blogspot.com/-TDQqFGc8YRY/Xi-U-2OVbQI/AAAAAAAAAoo/q3hQoMnFi1IS6EdVvpNu29y2v8S-LgK-
wCEwYBhgL/s1600/2-LFI_syslog.png)
I capture the request, and I find an interesting error. I capture the request,
and I find an interesting error, where it is clearly shown what the
application is doing behind, and thanks to this error we know how to place our
payload
[](https://1.bp.blogspot.com/-dPVUiymnAnI/Xi-U-4rqSFI/AAAAAAAAApY/PSTRW5NTxcYgXqTQtNlwSUvrCp06xV9lQCEwYBhgL/s1600/3-fullpath.png)
So we reformulate the payload and forward it so that it shows us the file
**_/etc/passwd_**
**_
_**
[](https://1.bp.blogspot.com/-7dgsz-
Sy1dY/Xi-Y9mxawqI/AAAAAAAAAp0/I9u_5coQh4UwwxPtOocHDly47BkMSFRgACLcBGAsYHQ/s1600/4-passwd.png)
**AUTH.LOG Function:**
[](https://1.bp.blogspot.com/-UhUJ_Ay-
UgU/Xi-U_cND0RI/AAAAAAAAApY/ZjMQMLCZw-
IksWag7hgckEw_5fiunsf6wCEwYBhgL/s1600/5-authlog.png)
[](https://1.bp.blogspot.com/-FiM3y4G_uOY/Xi-
U_jCV-7I/AAAAAAAAApg/ZBEHLBeKWZICuBhEgca2pWxEkT07EDUPACEwYBhgL/s1600/6-authlog_LFI.png)
**DAEMON.LOG Function:**
[](https://1.bp.blogspot.com/-YpwHUKTM6Fk/Xi-
U_0SzocI/AAAAAAAAApc/3WRj58fsv1IhMOzmKq_9z7mAzn5_-aDDwCEwYBhgL/s1600/7-daemonlog.png)
[](https://1.bp.blogspot.com/-TJAx80coZDE/Xi-
VAElO1wI/AAAAAAAAApc/cjz5qEE58RwjvTXIILIQr_NP-
op19YZogCEwYBhgL/s1600/8-daemonlog_LFI.png)
**KERN.LOG Function:**
**
------
**
[](https://1.bp.blogspot.com/-k4-JFJxULjw/Xi-
VAczKOjI/AAAAAAAAApg/OPAs2rPq_NYoplwqQVnTkLS6w-6oJbuwQCEwYBhgL/s1600/9-kernlog.png)
[](https://1.bp.blogspot.com/-oxetyzfuxuQ/Xi-U98xuCjI/AAAAAAAAApM/tl92Pnv8aV4nKtNJC92x3VaKGD9LScE-
gCEwYBhgL/s1600/10-kernlog_LFI.png)
**
------
------
------
------
------
****MESSAGES Function:**
**
**
[](https://1.bp.blogspot.com/-V-6pop1JCt4/Xi-U95-CrUI/AAAAAAAAApI/5twGq0_4EjAVAOYufkNE5HgC7nj4ZKrDgCEwYBhgL/s1600/11-message.png)
[](https://1.bp.blogspot.com/-F3_Fhhrm63M/Xi-
U-A5WyOI/AAAAAAAAApQ/m1VK-
VVG4L4vJzIOBujzUPUhA7D4AXLagCEwYBhgL/s1600/12-message_LFI.png)
**
------
------
------
------
------
------
------
------
------
------
------
------
------
------
------
------
------
****Affected Versions:**
- ****SyncServer S100 - ******2.90.70.3 Build 2.90.70.3 **
- ****SyncServer S200 - 1.** 30**
- **SyncServer S250** ** \- 1.25**
- **SyncServer S300 - ****2.65.0 Build 2.65.0 **
- **SyncServer S350 - 2.80.1 Build 2.80.1**
|
CVE-2020-9029
CVE-2020-9030
CVE-2020-9031
CVE-2020-9032
CVE-2020-9033
---|---
**By: @Linuxmonr4** **
------
------
------
------
**
A little about the teams I was working on:
The SyncServer® S250 Precision GPS. Network Time Server synchronizes clocks on
servers for large or expanding networks and for the ever-demanding.
The SyncServer® S300™ is a high performance, enhanced security enterprise
class GPS Network Time Server. It sets standards for security, accuracy,
reliability, and redundancy in network time servers.
Well summarizing, these teams are NTP servers, that is, servers for the
synchronization of TIME, something very critical for organizations, if there
is a problem with the time of your servers there may be consequences on
databases, logs or other services, for That is the importance that these
servers are better protected.
As always, checking on the internet, to see what I find, I found this
interesting device. Lately I have become a fan of NTP servers :)
The SyncServer S100/S200/S250/S300/S350 devices, in their WEB application, do
not properly disinfect user input, so it is possible to manipulate some
parameters, such as "FileName" in some functions of the application, such as
kernel display, authentication, among others.
Well, it started with the "logs" section exploiting the vulnerability in the
function shown in the " syslog "
It is IMPORTANT to MENTION that this vulnerability is possible to exploit it
WITHOUT BEING AUTHENTICATED
SYSLOG Function:
I capture the request, and I find an interesting error. I capture the request,
and I find an interesting error, where it is clearly shown what the
application is doing behind, and thanks to this error we know how to place our
payload
So we reformulate the payload and forward it so that it shows us the file
/etc/passwd
AUTH.LOG Function:
DAEMON.LOG Function:
KERN.LOG Function:
**
**
**
**MESSAGES Function:
**
**Affected Versions:
- SyncServer S100 - **2.90.70.3 Build 2.90.70.3 **
- **SyncServer S200 - 1. 30**
- SyncServer S250 - 1.25
- SyncServer S300 - **2.65.0 Build 2.65.0 **
- SyncServer S350 - 2.80.1 Build 2.80.1
|
CVE-2020-9029
CVE-2020-9030
CVE-2020-9031
CVE-2020-9032
CVE-2020-9033
---|---
By: @Linuxmonr4 **
**
京公网安备 11010502034610号
暂无评论