Riello UPS systems can have their restricted configuration shell bypassed to gain full underlying operating system access.
I. VULNERABILITY
-------------------------
Riello UPS systems allow to easily escape the configuration shell and get access to the operating system
II. VENDOR
-------------------------
Riello (https://www.riello-ups.es/)
III. DESCRIPTION
-------------------------
Riello UPS systems allow SSH access to configure the device, sometimes with the default credentials "admin:admin".
Using the "-t bash" or "-t /bin/bash" paramters it is possible to escape the restricted shell and get access to the operating system:
ssh [email protected] -t bash
