Riello UPS Restricted Shell Bypass
During a pentest we found Riello UPS systems can have their restricted configuration shell bypassed to gain full underlying operating system access.
Riello UPS systems allow SSH access to configure the device, sometimes with the default credentials “admin:admin”.
Using the “-t bash” or “-t /bin/bash” parameters it is possible to escape the restricted shell and get access to the operating system:
ssh admin@x.x.x.x -t bash
Disclosure
https://packetstormsecurity.com/files/171385/Riello-UPS-Restricted-Shell-Bypass.html
Written on April 3, 2023