RACOM M!DGE2 Privilege Escalation via SDK Testing Endpoint
HighSynopsis
A non-primary administrator user with admin rights to the web interface but without shell access permissions can display configuration of the device including the master admin password. This vulnerability also allows the user to give themselves shell access with the root gid.
Despite the tester user being assigned the administrator role, this crosses a security boundary because a regular user with admin privileges still requires the main admin password to make certain actions. It's also possible to impose restrictions on that user (no shell, no access to PHP CLI) and this would bypass those as well.
This was tested on RACOM M!DGE2 4.6.40.106
Proof of Concept
In the first screenshot we can see there is an it_admin user who has administrator rights but does not have shell access to the device.
If we browse to /admin/sdkTesting.php we can see there is a console that allows us to run some code on the device.
The below script will dump the main admin’s password.
ADMIN_PWD = nb_config_get("admin.password");
printf(ADMIN_PWD);
Alternatively we can give ourselves shell access with the below script.
nb_config_set("user.0.shell=sh");
After running this script in the test console we can go to /admin/userAccounts.php and see that our it_admin user now has shell access to the device.
When we ssh in as that user we can see we have shell access.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Derrie Sutton
Giulio Lyons
7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
RACOM M!DGE2
High