[Description] Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the DMACC URLs on the Settings page of the Engineering portal. An authenticated remote attacker on the local network can inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/admin/settings.lua to achieve remote code execution as root. [Additional Information] This vulnerability has been patched on firmware 5.33.141.0. In order to access the engineering portal, one must have the Verizon engineering password to log in. This password is statically generated per-device and follows a known formula (see CVE-2022-28376 for details). [Vulnerability Type] Shell Metacharacter Injection [Vendor of Product] Verizon / Wistron Neweb Corporation [Affected Product Code Base] Verizon 5G Home Internet Modem/Router LVSKIHP - 3.33.101.0 (ODU) [Affected Component] Line 340 of OutDoorUnit file /usr/lib/lua/5.1/luci/controller/admin/settings.lua: local exec_cmd = "sed -i 's," .. dmacc3_url .."," .. form_value["dmacc3_url"] .. ",g' /etc/dmclient/dmacc3-init_test.txt" [Attack Type] Remote [Impact] Code Execution Denial of Service Escalation of Privileges Information Disclosure [Attack Vectors] To exploit the vulnerability, a user must inject a specially crafted URL into one of the DMACC fields within the Engineering Portal HTTP site on the device. [Discoverers] Matthew Lichtenberger, Shea Polansky