[Description]
Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not properly sanitize user-controlled parameters within the crtcreadpartition function of the crtcrpc JSON listener in /usr/lib/lua/luci/crtc.lua. A remote attacker on the local network can inject shell metacharacters to achieve remote code execution as root.

[Additional Information]
This vulnerability has been patched on firmware 5.4.91.162. The vulnerable endpoint requires the use of a set of certificates that is embedded in the firmware provisioned to all devices in the fleet (see CVE-2022-28371 for details).

[Vulnerability Type]
Shell Metacharacter Injection

[Vendor of Product]
Verizon / Wistron Neweb Corporation

[Affected Product Code Base]
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.4.66.162 (IDU)

[Affected Component]
Line 51 of InDoorUnit file /usr/lib/lua/luci/crtc.lua: 
   luci.sys.exec("echo "..para1.." /tmp/crtcReadPartition")

[Attack Type]
Remote

[Impact]
Code Execution
Denial of Service
Escalation of Privileges
Information Disclosure

[Attack Vectors]
To exploit the vulnerability, user must send a specially crafted request to a JSONRPC endpoint

[Discoverers]
Matthew Lichtenberger, Shea Polansky