Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape
Akkadian Labs: CVE-2020-27361, CVE-2020-27362: Akkadian Provisioning Manager 4.50.02
Author: Nelson Maher
The Akkadian Provisioning Manager assists with provisioning and monitoring Cisco-UC products through a web interface. Black Lantern Security (BLS) discovered that, by default, there are a number of dangerous settings configured by Akkadian that negatively impact the security of the product.
One such dangerous configuration is that directory listing is enabled by default on the web server. This allows an unauthenticated user to browse and download the entirety of the web directory.
Compounding the severity, the Akkadian Provisioning Manager also stores backups of its database in the web directory.
Since the database backups are stored within the Akkadian Provisioning Manager’s web directory and directory listing is enabled, unauthenticated users are able to download the database backups.
Weak default passwords have always been an issue for the security industry. Although, in recent years, a large number of manufacturers set default passwords to entries that are unique to the physical device for which they are intended. Examples of these unique passwords include serial numbers or software that includes credential creation as part of the installation process. The Akkadian Provisioning Manager, however, has a much more simplistic approach in setting credentials for the default local account. The Akkadian Provisioning Manager sets the default username to addadianuser and the default password to akkadianpassword. The user is then presented with a restricted shell upon logging into the Akkadian Provisioning Manager server. During testing, BLS identified two possible ways to escape this restricted shell and obtain a root shell on the system.
For the first method, BLS found that the restricted shell allowed users to edit configuration files with vim. Since BLS could launch vim, BLS could then use the
:! bash command to escape the restricted shell and enter a bash shell. The bash shell was launched within the context of the user that was running the restricted shell, which happened to be the root user.
For the second method, BLS found that the restricted shell could be escaped by specifying a command to execute on the server with the ssh command. For instance, the command
ssh akkadianuser@Server bash would ssh to the Akkadian Provisioning Manager as the akkadianuser and immediately launch a bash shell. The akkadianuser has the ability to use sudo with any command without a password. Since the akkadianuser can use sudo with any command, the command
sudo bash could be used to obtain a root shell on the system.
Akkadian Provisioing Manager, https://www.akkadianlabs.com/products/akkadian-provisioning-manager/
MITRE CVE 2020-27361, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27361
MITRE CVE 2020-27362, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27362