Microhard BulletLTE-NA2 and IPn4Gii-NA2 Post-Authentication Command Injection Vulnerability

A post-authentication command injection vulnerability has been identified in the Microhard BulletLTE-NA2 and IPn4Gii-NA2 products. This vulnerability resides within the AT+MFMAC command of the restricted command-line interface (CLI) and can lead to privilege escalation. The issue allows authenticated users to inject commands that are executed with root privileges, thereby escaping the restricted shell and gaining full access to the device.

Impact

Exploitation of this vulnerability allows authenticated users to perform command injection via the AT+MFMAC command, executing arbitrary commands as the root user. This could lead to unauthorized access and control over the device.

Reproduction

To reproduce this vulnerability, an authenticated user must access the device's CLI via telnet or SSH. Once connected, the user can issue the AT+MFMAC command. By injecting commands wrapped in backticks or dollar-parentheses, and using the internal field separator for space-delimited arguments, it is possible to execute arbitrary commands as the root user. For example, injecting a command to open a reverse shell would demonstrate the exploitation of this vulnerability.