RACOM M!DGE2 Privilege Escalation Vulnerability Allowing Unauthorized Shell Access

A vulnerability exists in RACOM M!DGE2 version 4.6.40.106, where a non-primary administrator user with web interface admin rights, but without shell access, can access device configurations, including the master admin password. This vulnerability also enables the user to grant themselves shell access with root privileges. The issue arises because the affected user role, despite having admin rights, lacks the main admin password required for certain actions, creating a security loophole that can be exploited to bypass imposed restrictions.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a user to gain shell access with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by logging into the RACOM M!DGE2 device as a non-primary administrator user who has web interface admin rights but no shell access. Once logged in, navigate to the SDK testing console available through the admin interface. From there, execute a script to dump the main admin password by accessing the configuration management function. After obtaining the password, the same console can be used to modify the user's shell access rights, effectively granting shell access with root privileges.