Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

基本字段

漏洞编号：: SSV-98166

披露/发现时间：: 未知

提交时间：: 2020-03-09

漏洞等级：

影响组件：: Symmetricom SyncServer

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: CVE-2020-9029、CVE-2020-9030、CVE-2020-9031、CVE-2020-9032、CVE-2020-9033

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

https://sku11army.blogspot.com/2020/01/symmetricom-syncserver.html

漏洞详情

贡献者共获得 0KB

# Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033) [![](https://images.seebug.org/1583459830877-w331s)](https://1.bp.blogspot.com/-VIvnMzc_OQA/Xi- Q- Pe5bpI/AAAAAAAAAn0/4Sn9vd3SfgEjLLqgeGAldLlMB5mRdN-0wCLcBGAsYHQ/s1600/Microsemi- Symmetricom-SyncServer-S250-GPS-NTP-Server-Network-Time-Receiver-2.jpg) A little about the teams I was working on: The SyncServer® S250 Precision GPS. Network Time Server synchronizes clocks on servers for large or expanding networks and for the ever-demanding. The SyncServer® S300™ is a high performance, enhanced security enterprise class GPS Network Time Server. It sets standards for security, accuracy, reliability, and redundancy in network time servers. [![](https://images.seebug.org/1583459835497-w331s)](https://1.bp.blogspot.com/-e2f42QQ2JDs/Xi- R-lT7F4I/AAAAAAAAAn8/xTD2bIO- bLwEXiDnzPpLVK4uRJjd7f9EgCLcBGAsYHQ/s1600/1-INDEX.png) Well summarizing, these teams are NTP servers, that is, servers for the synchronization of TIME, something very critical for organizations, if there is a problem with the time of your servers there may be consequences on databases, logs or other services, for That is the importance that these servers are better protected. As always, checking on the internet, to see what I find, I found this interesting device. Lately I have become a fan of NTP servers :) The SyncServer S100/S200/S250/S300/S350 devices, in their WEB application, do not properly disinfect user input, so it is possible to manipulate some parameters, such as "FileName" in some functions of the application, such as kernel display, authentication, among others. Well, it started with the "logs" section exploiting the vulnerability in the function shown in the " **syslog** " **It is IMPORTANT to MENTION that this vulnerability is possible to exploit it WITHOUT BEING AUTHENTICATED** **SYSLOG Function:** [![](https://images.seebug.org/1583459842637-w331s)](https://1.bp.blogspot.com/-TDQqFGc8YRY/Xi-U-2OVbQI/AAAAAAAAAoo/q3hQoMnFi1IS6EdVvpNu29y2v8S-LgK- wCEwYBhgL/s1600/2-LFI_syslog.png) I capture the request, and I find an interesting error. I capture the request, and I find an interesting error, where it is clearly shown what the application is doing behind, and thanks to this error we know how to place our payload [![](https://images.seebug.org/1583459845064-w331s)](https://1.bp.blogspot.com/-dPVUiymnAnI/Xi-U-4rqSFI/AAAAAAAAApY/PSTRW5NTxcYgXqTQtNlwSUvrCp06xV9lQCEwYBhgL/s1600/3-fullpath.png) So we reformulate the payload and forward it so that it shows us the file **_/etc/passwd_** **_ _** [![](https://images.seebug.org/1583459847597-w331s)](https://1.bp.blogspot.com/-7dgsz- Sy1dY/Xi-Y9mxawqI/AAAAAAAAAp0/I9u_5coQh4UwwxPtOocHDly47BkMSFRgACLcBGAsYHQ/s1600/4-passwd.png) **AUTH.LOG Function:** [![](https://images.seebug.org/1583459851873-w331s)](https://1.bp.blogspot.com/-UhUJ_Ay- UgU/Xi-U_cND0RI/AAAAAAAAApY/ZjMQMLCZw- IksWag7hgckEw_5fiunsf6wCEwYBhgL/s1600/5-authlog.png) [![](https://images.seebug.org/1583459855990-w331s)](https://1.bp.blogspot.com/-FiM3y4G_uOY/Xi- U_jCV-7I/AAAAAAAAApg/ZBEHLBeKWZICuBhEgca2pWxEkT07EDUPACEwYBhgL/s1600/6-authlog_LFI.png) **DAEMON.LOG Function:** [![](https://images.seebug.org/1583459859598-w331s)](https://1.bp.blogspot.com/-YpwHUKTM6Fk/Xi- U_0SzocI/AAAAAAAAApc/3WRj58fsv1IhMOzmKq_9z7mAzn5_-aDDwCEwYBhgL/s1600/7-daemonlog.png) [![](https://images.seebug.org/1583459865739-w331s)](https://1.bp.blogspot.com/-TJAx80coZDE/Xi- VAElO1wI/AAAAAAAAApc/cjz5qEE58RwjvTXIILIQr_NP- op19YZogCEwYBhgL/s1600/8-daemonlog_LFI.png) **KERN.LOG Function:** ** ------ ** [![](https://images.seebug.org/1583459869308-w331s)](https://1.bp.blogspot.com/-k4-JFJxULjw/Xi- VAczKOjI/AAAAAAAAApg/OPAs2rPq_NYoplwqQVnTkLS6w-6oJbuwQCEwYBhgL/s1600/9-kernlog.png) [![](https://images.seebug.org/1583459872227-w331s)](https://1.bp.blogspot.com/-oxetyzfuxuQ/Xi-U98xuCjI/AAAAAAAAApM/tl92Pnv8aV4nKtNJC92x3VaKGD9LScE- gCEwYBhgL/s1600/10-kernlog_LFI.png) ** ------ ------ ------ ------ ------ ****MESSAGES Function:** ** ** [![](https://images.seebug.org/1583459879077-w331s)](https://1.bp.blogspot.com/-V-6pop1JCt4/Xi-U95-CrUI/AAAAAAAAApI/5twGq0_4EjAVAOYufkNE5HgC7nj4ZKrDgCEwYBhgL/s1600/11-message.png) [![](https://images.seebug.org/1583459883681-w331s)](https://1.bp.blogspot.com/-F3_Fhhrm63M/Xi- U-A5WyOI/AAAAAAAAApQ/m1VK- VVG4L4vJzIOBujzUPUhA7D4AXLagCEwYBhgL/s1600/12-message_LFI.png) ** ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ****Affected Versions:** - ****SyncServer S100 - ******2.90.70.3 Build 2.90.70.3 ** - ****SyncServer S200 - 1.** 30** - **SyncServer S250** ** \- 1.25** - **SyncServer S300 - ****2.65.0 Build 2.65.0 ** - **SyncServer S350 - 2.80.1 Build 2.80.1** | CVE-2020-9029 CVE-2020-9030 CVE-2020-9031 CVE-2020-9032 CVE-2020-9033 ---|--- **By: @Linuxmonr4** ** ------ ------ ------ ------ **

共 0 兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Symmetricom SyncServer S100/S200/S250/S300/S350 - Path Transversal - (CVE-2020-9029/CVE-2020-9030/CVE-2020-9031/CVE-2020-9032/CVE-2020-9033)

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定