CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20)

Summary

Vendor: UCOPIA

Product: Wireless Appliance

Title: UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20)

CVE ID: CVE-2017-17743

Intrinsec ID: ISEC-V2017-02

Risk level: medium

Exploitability:

  • Authenticated (an admin account is required – default credentials from the documentation: admin / bhu85tgb),
  • Remotely if interfaces are exposed (SSH TCP/22 or Web SSH on TCP/222).

Impact: restricted shell escape: a malicious administrator could run undesired commands.

Description

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the .bashrc file: rbash reads and executes this file before starting the restricted shell. However, the malicious admin has several techniques to write arbitrary contents to this file.

The impact is the same as in the previously disclosed escape by Sysdream in CVE-2017-11321.

Exploitation steps

Login as admin (SSH / Web SSH): you obtain a restricted shell (the prompt is « > »).

Then, use scp on the appliance to retrieve a malicious .bashrc file from the attacker machine (or any other available technique). The malicious .bashrc file must contain only « /bin/sh ».

In the following screenshot, 172.20.200.242 is the attacker’s IP address:

Then, the attacker re-connects to 172.20.100.105 (the appliance IP) and obtains an unrestricted shell (see the normal « $ » prompt):

The obtained process tree is the following, we clearly see that rbash launched /bin/sh:

Versions affected

All versions before (<) 5.1.11, 5.0.19 and 4.4.20.

Solutions

Upgrade to the latest version, at least 5.1.11, 5.0.19 or 4.4.20 (the three currently supported major versions).

Please note that Intrinsec has not reviewed the security fix.

Credits

Vulnerability discovered by Clément Notin / @cnotin.

Vulnerability disclosed in coordination with Ucopia and the CERT-Intrinsec.

External references

Mitre: CVE-2017-17743

History

  • 2017-10-09: advisory sent to UCOPIA
  • 2017-10-10: UCOPIA confirms the vulnerability
  • 2017-11-02: UCOPIA plans a fix for the next release
  • 2017-12-19: CVE number assigned
  • 2018-01-19: UCOPIA publishes a fix for the current 5.1 version, fixes for the older major versions (5.0 & 4.4) are to be published in February. Intrinsec agrees to postpone the publication.
  • 2018-02-28: UCOPIA informs that the updates for the three supported major versions are published. Intrinsec agrees on a delay in the publication to ensure that all customers receive the fix.
  • 2018-03-19: Intrinsec publishes its advisory, as agreed.

— Clément Notin