Black Lantern Security (BLSOPS)

Share this post
Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape
blog.blacklanternsecurity.com
Vulnerability Research and Emerging Threats

Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape

Akkadian Labs: CVE-2020-27361, CVE-2020-27362: Akkadian Provisioning Manager 4.50.02

Nelson
Jul 1, 2021
Share this post
Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape
blog.blacklanternsecurity.com

The Akkadian Provisioning Manager assists with provisioning and monitoring Cisco-UC products through a web interface. Black Lantern Security (BLS) discovered that, by default, there are a number of dangerous settings configured by Akkadian that negatively impact the security of the product.

CVE-2020-27361

One such dangerous configuration is that directory listing is enabled by default on the web server. This allows an unauthenticated user to browse and download the entirety of the web directory.

directory listing enabled
Viewing the Directory Listing of the /pme/media Directory

Compounding the severity, the Akkadian Provisioning Manager also stores backups of its database in the web directory.

database backups exposed
Viewing the Directory Containing Database backups

Since the database backups are stored within the Akkadian Provisioning Manager’s web directory and directory listing is enabled, unauthenticated users are able to download the database backups.

CVE-2020-27362

Weak default passwords have always been an issue for the security industry. Although, in recent years, a large number of manufacturers set default passwords to entries that are unique to the physical device for which they are intended. Examples of these unique passwords include serial numbers or software that includes credential creation as part of the installation process. The Akkadian Provisioning Manager, however, has a much more simplistic approach in setting credentials for the default local account. The Akkadian Provisioning Manager sets the default username to addadianuser and the default password to akkadianpassword. The user is then presented with a restricted shell upon logging into the Akkadian Provisioning Manager server. During testing, BLS identified two possible ways to escape this restricted shell and obtain a root shell on the system.

root shell on the Akkadian server
A Root Shell on the Akkadian Provisioning Manager

For the first method, BLS found that the restricted shell allowed users to edit configuration files with vim. Since BLS could launch vim, BLS could then use the :! bash command to escape the restricted shell and enter a bash shell. The bash shell was launched within the context of the user that was running the restricted shell, which happened to be the root user.

For the second method, BLS found that the restricted shell could be escaped by specifying a command to execute on the server with the ssh command. For instance, the command ssh akkadianuser@Server bash would ssh to the Akkadian Provisioning Manager as the akkadianuser and immediately launch a bash shell. The akkadianuser has the ability to use sudo with any command without a password. Since the akkadianuser can use sudo with any command, the command sudo bash could be used to obtain a root shell on the system.

Timeline

2020-10-06: Contacted MITRE to Request CVE
MITRE Responded with CVE IDs
Public Disclosure

References

  1. Akkadian Provisioing Manager, https://www.akkadianlabs.com/products/akkadian-provisioning-manager/

  2. MITRE CVE 2020-27361, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27361

  3. MITRE CVE 2020-27362, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27362

Share

Comment
Share
Share this post
Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape
blog.blacklanternsecurity.com

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 Black Lantern Security (BLSOPS)
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing