Microhard Systems IPn4G Restricted SSH Shell Escape Vulnerability Allowing Root Access

A vulnerability in Microhard Systems IPn4G version 1.1.0 has been identified, allowing authenticated users to enable a restricted SSH shell with the default 'msshc' user. This vulnerability arises from a command injection flaw in a custom 'ping' command within the NcFTP environment, which can be exploited to escape the restricted shell and gain root privileges. The issue is present in several other Microhard products and versions, including the IPn3Gb, Bullet-3G, VIP4Gb, VIP4G, IPn3Gii, IPn4Gii, BulletPlus, and Dragon-LTE.

Impact

Exploitation of this vulnerability allows for unauthorized access to a root shell, where commands can be executed with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user must enable the 'Microhard Sh' service through the web admin panel or via a CSRF attack. Once the service is active, the 'msshc' user can be accessed via SSH on port 22. After logging in, the user is placed in a restricted NcFTP environment. The command injection vulnerability can be exploited by using the 'ping' command to escape the jailed environment and access a root shell.