Microhard BulletLTE-NA2 and IPn4Gii-NA2 Post-Authentication Command Injection Vulnerability

A post-authentication command injection vulnerability has been identified in the AT+MFPORTFWD command of the Microhard BulletLTE-NA2 and IPn4Gii-NA2 products. This vulnerability allows for privilege escalation by injecting commands that are executed as the root user. The issue arises from improper handling of user input in the command, enabling authenticated users to execute arbitrary commands with elevated privileges.

Impact

Exploitation of this vulnerability allows authenticated users to inject commands that are executed as the root user, potentially leading to full control over the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must access the device's restricted command-line interface (CLI) via telnet or SSH. Once logged in, the user can issue the AT+MFPORTFWD command. By wrapping the input in dollar-parentheses or backticks, arbitrary commands can be injected and executed as the root user. The injected command can be crafted to, for example, open a reverse shell by using netcat.