Microhard Systems IPn4G Authentication Bypass Vulnerability Allowing Arbitrary File Access and Modification

An authentication bypass vulnerability has been identified in Microhard Systems IPn4G version 1.1.0. The issue resides in a hidden script called 'system-editor.sh', which is part of the web interface. This vulnerability allows authenticated attackers to bypass authentication and gain unauthorized access to the file system. Exploitation involves manipulating unsanitized 'path', 'savefile', 'edit', and 'delfile' parameters through GET and POST requests, enabling attackers to read, modify, or delete arbitrary files on the device.

Impact

Exploitation of this vulnerability could lead to unauthorized file access and manipulation, including the potential for privilege escalation by modifying system files or user credentials.

Reproduction

The vulnerability can be reproduced by sending a GET or POST request to the 'system-editor.sh' script with the 'path' parameter set to a directory containing files to be accessed or modified. The 'savefile', 'edit', and 'delfile' parameters can be used to specify files for reading, editing, or deletion. The absence of proper input sanitization allows for arbitrary file operations to be performed.