Verizon MiFi Escalated Privileges through Backup Restore Function
The backup restore function on the The Verizon Mifi 6620L, version 4.5, allows a user to modify critical system files on the device such as the ‘root’ users’ crontab file.
The backup restore function allows a user to upload previously saved configuration files to restore the device to a previous known state. The backup file is a base64 encoded-encrypted zip file. The backup file can be encrypted and decrypted using the ‘nvtl_encrypt’ utility on the device. The encryption mechanism used is not unique to the device and configurations can be shared across devices.
An authenticated user is able to download a copy of their devices’ configuration file through the web interface and decode and decrypt the file to read the contents of the zip file.
The user can then modify the zip file to include a ‘root’ crontab file.
After modification, the user can encrypt and encode the file, and use the restore function to upload the modified configuration file.
In this way the user can execute commands on the device as root through the crontab function.