Comtrend AR-5310 Restricted Shell Escape Vulnerability

A restricted shell escape vulnerability has been identified in the Comtrend AR-5310 router, specifically in the GE31-412SSG-C01_R10.A2pG039u.d24k version. This vulnerability allows local users to bypass command restrictions by using the command substitution operator, enabling the injection and execution of arbitrary commands. Exploitation can be achieved by passing commands through the $( ) syntax as arguments to permitted commands like ping, thereby gaining unrestricted access to the shell.

Impact

Exploitation of this vulnerability leads to unauthorized shell access, allowing users to execute arbitrary commands with elevated privileges.

Reproduction

The vulnerability can be reproduced by accessing the router's telnet interface, which is available on the local network. Once connected, the command substitution operator $( ) can be used with allowed commands to execute arbitrary shell commands. For example, using 'ping $(sh)' will invoke the shell and allow command execution.