Microhard Systems IPn4G Process Manipulation Vulnerability Allowing Denial-of-Service

A vulnerability in Microhard Systems IPn4G version 1.1.0 has been identified, allowing authenticated attackers to exploit a hidden feature that lets them list and manipulate active system processes. This vulnerability can be used to send arbitrary signals to terminate background processes and disrupt system services, potentially causing a denial-of-service condition that requires restarting the device. The issue can also be triggered by cross-site request forgery (CSRF) attacks, with the malicious changes needing a device restart or factory reset to revert.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing unintended disruptions to system processes and services, which can require a device restart or factory reset to resolve.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/webif/status-processes.sh' endpoint. The request must include an 'Authorization' header with valid credentials. Once the process listing is obtained, arbitrary signals can be sent to terminate specific processes, including those related to system services.