Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape

Akkadian Labs: CVE-2020-27361, CVE-2020-27362: Akkadian Provisioning Manager 4.50.02

Jul 01, 2021

Author: Nelson Maher

The Akkadian Provisioning Manager assists with provisioning and monitoring Cisco-UC products through a web interface. Black Lantern Security (BLS) discovered that, by default, there are a number of dangerous settings configured by Akkadian that negatively impact the security of the product.

CVE-2020-27361

One such dangerous configuration is that directory listing is enabled by default on the web server. This allows an unauthenticated user to browse and download the entirety of the web directory.

directory listing enabled — Viewing the Directory Listing of the /pme/media Directory

Compounding the severity, the Akkadian Provisioning Manager also stores backups of its database in the web directory.

database backups exposed — Viewing the Directory Containing Database backups

Since the database backups are stored within the Akkadian Provisioning Manager’s web directory and directory listing is enabled, unauthenticated users are able to download the database backups.

CVE-2020-27362

Weak default passwords have always been an issue for the security industry. Although, in recent years, a large number of manufacturers set default passwords to entries that are unique to the physical device for which they are intended. Examples of these unique passwords include serial numbers or software that includes credential creation as part of the installation process. The Akkadian Provisioning Manager, however, has a much more simplistic approach in setting credentials for the default local account. The Akkadian Provisioning Manager sets the default username to addadianuser and the default password to akkadianpassword. The user is then presented with a restricted shell upon logging into the Akkadian Provisioning Manager server. During testing, BLS identified two possible ways to escape this restricted shell and obtain a root shell on the system.

root shell on the Akkadian server — A Root Shell on the Akkadian Provisioning Manager

For the first method, BLS found that the restricted shell allowed users to edit configuration files with vim. Since BLS could launch vim, BLS could then use the :! bash command to escape the restricted shell and enter a bash shell. The bash shell was launched within the context of the user that was running the restricted shell, which happened to be the root user.

For the second method, BLS found that the restricted shell could be escaped by specifying a command to execute on the server with the ssh command. For instance, the command ssh akkadianuser@Server bash would ssh to the Akkadian Provisioning Manager as the akkadianuser and immediately launch a bash shell. The akkadianuser has the ability to use sudo with any command without a password. Since the akkadianuser can use sudo with any command, the command sudo bash could be used to obtain a root shell on the system.