Multiple vulns detailed in ExtremeXOS, the operating system used for Extreme Networks managed switches. The bulk of the issues stem from the Chalet application, which is the main web app using the CherryPy framework in python that runs as root. Of particular interest was the /terminal endpoint which can allow authenticated users a limited terminal for management and diagnostics.

Issue 1: Arbitrary File Read as Root While login is needed to access the terminal commands, the /terminal/_static route is an unauthenticated endpoint used to load static files, and doesn’t properly sandbox or prevent path traversal. This can be used to obtain arbitrary file read as root, and can be used to read config files to obtain password hashes and such.

Issue 2: SSRF + Permissive Auth Escalation to Admin Once authenticated as a read-only user (presumably by cracking one of the password hashes), they wanted to see if escalation to admin could be obtained. The endpoint used for authentication is /auth/token, which upon receiving valid credentials will reply with a JWT token. In order to facilitate Inter-Process Communication (IPC), the localhost is exempt from credential check and can obtain an admin token. One of the commands a read-only user can access is telnet, which can be used to perform Server Side Request Forgery (SSRF) and send requests to the /auth/token endpoint on behalf of localhost to obtain a token.

Issue 3: ‘Shell Injection’ Escalation to Root The jsonrpc endpoint can be used to execute shell commands, and by sending a cli request to that endpoint with params provided via json, it’s possible to get arbitrary data passed in to commands ran in the shell. By passing the -d or debug flag, these commands would be ran as root. It’s worth noting this requires admin capability that would be obtained with the previous chain of issues, and the vendor doesn’t consider admin to root to be a security boundary, and so didn’t issue a CVE for this issue.