Meinberg LANTIME M1000 - RCE - (CVE-2020-7240)

https://sku11army.blogspot.com/2020/01/meinberg-lantime-m1000-rce.html ### Meinberg LANTIME M1000 - RCE - (CVE-2020-7240) [](https://images.seebug.org/1583428903542-w331s) LANTIME M1000 is an NTP server of the Meinberg brand, and through one of the functions of the web application, it is possible to execute commands directly in the operating system. The default credentials of this devices are _**root: timeserver**_ [](https://images.seebug.org/1583428910664-w331s) Although, through import backup we can change configurations, from the same web application, we can execute commands directly in the operating system, taking advantage of the fact that we can edit a startup script of the network **_"/config/netconf.cmd"_** and each time it It is edited, it is automatically executed, so we do not need to restart the device to execute our commands **_Tested devices:_** M1000 and M300 **Step by step:** First, we need to **_authenticate_** in the application and once we have access we go to the following menu: _**Network = > Extended Network Configuration**_ [](https://images.seebug.org/1583428914410-w331s)[](https://images.seebug.org/1583428917390-w331s) The device which I tested, does not have an internet output, so it is necessary to execute OS commands and save the output in a file. Enter the commands you want to execute in the operating system and save the output to a file, in this case, I saved it in the **_/etc/hosts_** [](https://images.seebug.org/1583428920427-w331s) To see the result it is necessary to enter the following menu: **_System = > Diagnostic => Download Diagnostic File_** [](https://images.seebug.org/1583428923619-w331s) There we download the configurations a series of files, and if we look in the path **_/startup/network/etc/hosts_** , we will see the output of our command inside the file. [](https://images.seebug.org/1583428930101-w331s) [](https://images.seebug.org/1583428936151-w331s) In M300 Version [](https://images.seebug.org/1583428942921-w331s) **Note** : In devices M1000 you can create bind shell usgin native netcat command CVE-2020-7240 By: @linuxmonr4