Microhard BulletLTE-NA2 and IPn4Gii-NA2 Post-Authentication Command Injection Vulnerability

A post-authentication command injection vulnerability has been identified in the Microhard BulletLTE-NA2 and IPn4Gii-NA2 products. This vulnerability, which allows for privilege escalation, arises from improper handling of user input in the AT+MMNAME command within the restricted command-line interface (CLI). Exploitation of this issue requires authentication, as access to the CLI via telnet is only available to users with a valid account. However, once authenticated, an attacker can inject commands that are executed with root privileges, potentially leading to full control over the device.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands as the root user, escaping the restricted shell of the CLI interface. This privilege escalation could be used to gain complete, root-level access to the affected device.

Reproduction

To reproduce this vulnerability, log into the affected device via telnet using valid credentials. Once authenticated, issue the AT+MMNAME command with injected payloads that exploit the command injection vulnerability, such as wrapping the input in dollar-parentheses or backticks to execute arbitrary commands as the root user.