Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.
The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.
Please refer to the original post