Exploits / Vulnerability Discovered : 2019-07-22 |
Type : local |
Platform : linux
This exploit / vulnerability Comtrendar5310 restricted shell escape is for educational purposes only and if it is used you will do on your own risk!
TL;DR: A local user can bypass the restricted shell using the command substitution operator $( commmand )
Comtrend AR 5310 routers have a restricted shell, the list of command a user can execute is
[ ? help logout exit quit reboot ads lxdslctl xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan wlctl vlanctl arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname acccntr upnp urlfilter timeres tr69cfg logouttime ipneigh dhcp6sinfo nat mcpctl ]
Usual terminal constructs like:
the command separator ";"
the control operator "&" (run in forground)
the redirection operator (pipe) "|"
the command substitution operator "`"
are all filtered as shown here :
> ;
Warning: operator ; is not supported!
telnetd:error:476.449:processInput:490:unrecognized command
> |
Warning: operator | is not supported!
telnetd:error:484.871:processInput:490:unrecognized command
> &
Warning: operator & is not supported!
telnetd:error:487.421:processInput:490:unrecognized command
> `
Warning: operator ` is not supported!
telnetd:error:495.334:processInput:490:unrecognized command