Rich Mirch

Penetration Tester, Red Teamer, Security Researcher

CVE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users — November 5, 2018

CVE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users

Recently I found several ways to escape the restricted shell for an operator user in VyOS 1.1.8. VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality. I plan to post information on the restricted shell escapes in the near future; For now read the blog by @dmbaturin detailing some of the methods.

This post will focus how root access was obtained using sudo after the restricted shell was escaped. One of my first post exploitation steps on Linux after a low privileged shell is obtained is to check if the user has sudo rules configured. Sudo is designed to limit privileges but often times it can be leveraged to elevate access.

Continue reading