Microhard BulletLTE-NA2 and IPn4Gii-NA2 Post-Authentication Command Injection Vulnerability

A post-authentication command injection vulnerability has been identified in the AT+MFIP command of the Microhard BulletLTE-NA2 and IPn4Gii-NA2 products. This vulnerability allows for privilege escalation by injecting commands that are executed as the root user. The issue arises from improper handling of user input in the command, which can be exploited to execute arbitrary commands with elevated privileges. The vulnerability exists within the restricted command-line interface (CLI) that is accessible via telnet or SSH, requiring valid user credentials to exploit.

Impact

Exploitation of this vulnerability allows authenticated users to inject commands that are executed as the root user, bypassing the restrictions of the normal user shell. This could lead to unauthorized access and control over the device, potentially allowing for further exploitation within the network or system where the device is deployed.

Reproduction

To reproduce this vulnerability, log into the affected device using valid credentials via telnet or SSH. Once authenticated, access the restricted CLI interface and issue the AT+MFIP command. Inject a command payload using the $() or backtick syntax to execute arbitrary commands as the root user. For example, a command could be injected to open a reverse shell connection.

Remediation

As of the publication of this CVE, no general fix is available. Users are advised to monitor for future updates from Microhard Corporation.