Microhard Systems IPn4G Configuration File Disclosure Vulnerability

A vulnerability in Microhard Systems IPn4G version 1.1.0 has been identified, allowing authenticated attackers to access and download sensitive system configuration files. This vulnerability exists in several Microhard products, including the IPn3Gb, IPn4Gb, Bullet-3G, VIP4Gb, VIP4G, IPn3Gii, IPn4Gii, BulletPlus, and Dragon-LTE, across various versions. The issue arises from improper access controls, enabling the extraction of files containing system passwords and network settings from multiple directories, such as '/www', '/etc/m_cli/', and '/tmp'.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive system information, including passwords and network configurations, potentially allowing for authentication bypass, privilege escalation, and full system access.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to download the 'IPn4G.config' file from the root directory or the 'cli.conf' file from '/etc/m_cli/'. The downloaded files will contain sensitive information such as system passwords and network settings. This vulnerability can also be exploited by accessing the '/www/cgi-bin/system.conf' file, which similarly contains sensitive information that could be used for privilege escalation and gaining full access to the system.