[Description]
Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh)  A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root.

[Additional Information]
This vulnerability has been patched on firmware 5.4.91.162. The vulnerable endpoint requires the use of a set of certificates that is embedded in the firmware provisioned to all devices in the fleet (see CVE-2022-28371 for details).

[Vulnerability Type]
File Upload w/ Automatic Execution

[Vendor of Product]
Verizon / Wistron Neweb Corporation

[Affected Product Code Base]
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.4.66.162 (IDU)

[Affected Component]
Line 10 of InDoorUnit file /lib/functions/wnc_jsonsh/crtcmode.sh: 
   curl -o /usr/sbin/dropbear $2

[Attack Type]
Remote

[Impact]
Code Execution
Escalation of Privileges

[Attack Vectors]
To exploit the vulnerability, user must send a specially crafted request to a JSONRPC endpoint containing a link to their desired code to execute.

[Discoverers]
Matthew Lichtenberger, Shea Polansky