# Akkadian Provisioning Manager Information Disclosure and Restricted Shell Escape

Public disclosure of a two CVEs discovered within the Akkadian Provisioning Manager

The Akkadian Provisioning Manager assists with provisioning and monitoring Cisco-UC products through a web interface. Black Lantern Security (BLS) discovered that, by default, there are a number of dangerous settings configured by Akkadian that negatively impact the security of the product.

## CVE-2020-27361

One such dangerous configuration is that directory listing is enabled by default on the web server. This allows an unauthenticated user to browse and download the entirety of the web directory.

Figure 1: Viewing the directory listing of the /pme/media directory.

Compounding the severity, the Akkadian Provisioning Manager also stores backups of its database in the web directory.

Figure 2: Viewing the directory containing database backups.

Since the database backups are stored within the Akkadian Provisioning Manager’s web directory and directory listing is enabled, unauthenticated users are able to download the database backups.

## CVE-2020-27362

Figure 3: A root shell on the Akkadian Provisioning Manager.

For the first method, BLS found that the restricted shell allowed users to edit configuration files with vim. Since BLS could launch vim, BLS could then use the :! bash command to escape the restricted shell and enter a bash shell. The bash shell was launched within the context of the user that was running the restricted shell, which happened to be the root user.

For the second method, BLS found that the restricted shell could be escaped by specifying a command to execute on the server with the ssh command. For instance, the command ssh akkadianuser@Server bash would ssh to the Akkadian Provisioning Manager as the akkadianuser and immediately launch a bash shell. The akkadianuser has the ability to use sudo with any command without a password. Since the akkadianuser can use sudo with any command, the command sudo bash could be used to obtain a root shell on the system.

## Timeline

email 2020-10-06 Contacted MITRE to request CVE check_box 2021-06-08 MITRE responded with CVE IDs article 2021-07-01 Public Disclosure