RACOM M!DGE2 Privilege Escalation via SDK Testing Endpoint

A non-primary administrator user with admin rights to the web interface but without shell access permissions can display configuration of the device including the master admin password. This vulnerability also allows the user to give themselves shell access with the root gid.

Despite the tester user being assigned the administrator role, this crosses a security boundary because a regular user with admin privileges still requires the main admin password to make certain actions. It's also possible to impose restrictions on that user (no shell, no access to PHP CLI) and this would bypass those as well.

This was tested on RACOM M!DGE2 4.6.40.106

Proof of Concept

In the first screenshot we can see there is an it_admin user who has administrator rights but does not have shell access to the device.

If we browse to /admin/sdkTesting.php we can see there is a console that allows us to run some code on the device.

The below script will dump the main admin’s password.

ADMIN_PWD = nb_config_get("admin.password");

printf(ADMIN_PWD);

Alternatively we can give ourselves shell access with the below script. 

nb_config_set("user.0.shell=sh");

After running this script in the test console we can go to /admin/userAccounts.php and see that our it_admin user now has shell access to the device.

When we ssh in as that user we can see we have shell access.