[R1] Cisco Prime Collaboration Provisioning Restricted CLI Bypass Local Privilege Escalation

The Cisco Prime Collaboration Provisioning platform appears to provide a “walled” CLI (the CLI is similar to the one found on Cisco IOS) that protects the real Operating System from the user (Red Hat). This CLI is available through the terminal or SSH. However, a properly formatted “walled” CLI command available to users with the admin role (i.e. the default account) can bypass all protections and execute arbitrary commands as root. Two versions were tested and found vulnerable (9.0.0.23593 and 11.0.0.815). The second version (11.0.0.815) allows the root user to have access to a full/normal Red Hat bash terminal. However, all other user’s live in the walled-off CLI. Additionally, the first version (9.0.0.23593) has no option, as far as we could determine, to get access to a Red Hat bash terminal.

The admin user has access to the “show tech” command which will output a wide variety of diagnostic information. One of the options is to write the diagnostic information to disk. It was noticed that parsing extra quotes is not handled well and that “/bin/tar” is being executed via a system() call, and /bin/rm is being invoked as well. By appending a desired command after the quotes, it will get it executed four times. With a crafted command, an attacker could use this to control the entire box (including downloading additional software via wget).