ZSL-2018-5486: Command Injection in Multiple Router Web Admin Panels

Key Vulnerability Information Summary Advisory ID: ZSL-2018-5486 Type: Local/Remote Impact: System Access Risk: (5/5) Release Date: 17.07.2018 Description Vulnerability Details: The web shell application includes a service named Microhard Sh, marked in documentation as "for internal use only." This service can be enabled by authenticated users via the "Services" menu in the web management panel, or through a CSRF attack. Once enabled, a user named 'msssh' is created on the system with the password 'msssh'. Upon connecting via port 22, the user is dropped into a restricted NcFTP environment with limited file transfer management commands. One of these commands is a custom-added 'ping' command, which contains a command injection vulnerability. This allows attackers to escape the restricted environment, gain access to a root shell, and execute commands as the root user. Affected Versions IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 Rev 2 build 1086 Bullet-3G 1.2.0 Rev A build 1032 VIP4Gb 1.1.6 build 1204 VIP4G 1.1.6 Rev 3.0 build 1184-14 VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 IPn3Gi / Bullet-3G 1.2.0 build 1076 IPn4Gi / Bullet-LTE 1.2.0 build 1078 BulletPlus 1.3.0 build 1036 Dragon-LTE 1.1.0 build 1036 Vendor Status [13.03.2018] Vulnerability discovered. [13.03.2018] Vendor contacted. [09.05.2018] No response from vendor. [10.05.2018] Vendor contacted again. [24.05.2018] No response from vendor. [25.05.2018] Vendor contacted again. [16.07.2018] No response from vendor. [17.07.2018] Security advisory published. PoC Link: microhard_backdoor.txt References 1. Exploit-DB 2. CXSecurity 3. XForce 4. PacketStorm

Goal Reached Thanks to every supporter — we hit 100%!

ZSL-2018-5486: Command Injection in Multiple Router Web Admin Panels