Summary
Vendor: UCOPIA
Product: Wireless Appliance
Title: UCOPIA Wireless Appliance restricted shell escape (< 5.1.13)
CVE ID: CVE-2018-15481
Intrinsec ID: ISEC-V2018-01
Risk level: medium
Exploitability:
- Authenticated (an admin account is required – default credentials from the documentation: admin / bhu85tgb),
- Remotely if interfaces are exposed (SSH TCP/22 or Web SSH on TCP/222).
Impact: restricted shell escape: a malicious administrator could run undesired commands.
Variant of: CVE-2017-17743
Description
Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.
The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.
The impact is the same as in the previous escape we disclosed with CVE-2017-17743.
Exploitation steps
Login as admin (SSH / Web SSH): you obtain a restricted shell (the prompt is « > »).
Then, use scp (or any other available technique) on the appliance to retrieve a malicious .ssh/config file from the attacker machine. The malicious ~/.ssh/config file must contain this content:
1
2
3
4
|
Host *
PermitLocalCommand yes
LocalCommand sh
User root
|
- PermitLocalCommand allows the usage of the LocalCommand instruction. We can do this since it is not unauthorized by the global SSH configuration.
- LocalCommand is the command to run after establishing the SSH connection. Here we want an unrestricted shell, so we choose « sh ».
We prepare the malicious .ssh/config on attacker’s side and store it in /tmp/config:
We download the file from the attacker’s machine (172.16.17.43) on the appliance and save it in ~/.ssh/config:
We confirm that the file is present and we connect again to the attacker’s machine (172.16.17.43), this time with ssh. We can see that we obtain an unrestricted shell (see the normal « $ » prompt) after establishing the connection.
We are in a chroot sandbox, therefore many classic commands are missing, e.g.:
Versions affected
All versions before (<) 5.1.13.
Solutions
Upgrade to the latest version, at least 5.1.13.
Please note that Intrinsec has not reviewed the security fix.
Credits
Vulnerability discovered by Clément Notin / @cnotin.
Vulnerability disclosed in coordination with Ucopia and the CERT-Intrinsec.
External references
Mitre: CVE-2018-15481
History
- 2018-04-11: vulnerability discovery
- 2018-04-13: advisory ready
- 2018-04-16: advisory sent to UCOPIA
- 2018-04-17: UCOPIA confirms the vulnerability
- 2018-05-11: UCOPIA plans a fix for the next release
- 2018-07-xx: version 5.1.13 including the fix is available
- 2018-08-06: update available for all clients
- 2018-08-20: CVE number assigned
- 2018-08-20: Intrinsec publishes its advisory
— Clément Notin