Risk Summary
The backup restore function on the The Verizon Mifi 6620L, version 4.5, allows a user to modify critical system files on the device such as the ‘root’ users’ crontab file.
Verizon MiFi Escalated Privileges through Backup Restore Function
Medium
Advisory ID:
L9-46-492
First Published:
February, 09th, 2022
Last Updated:
January, 22nd, 2024
Version:
4.5
Category:
Escalated Privileges
Vendor:
Verizon
Product:
Verizon MiFi 6620L
Technical Details
The backup restore function allows a user to upload previously saved configuration files to restore the device to a previous known state. The backup file is a base64 encoded-encrypted zip file. The backup file can be encrypted and decrypted using the ‘nvtl_encrypt’ utility on the device. The encryption mechanism used is not unique to the device and configurations can be shared across devices.
An authenticated user is able to download a copy of their devices’ configuration file through the web interface and decode and decrypt the file to read the contents of the zip file.
The user can then modify the zip file to include a ‘root’ crontab file.
After modification, the user can encrypt and encode the file, and use the restore function to upload the modified configuration file.
In this way the user can execute commands on the device as root through the crontab function.
