CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the .bashrc file: rbash reads and executes this file before starting the restricted shell. However, the malicious admin has several techniques to write arbitrary contents to this file.

Exploitation

Please refer to the original post

External references