Version 1.0.3 of the Juplink RX4-1500 router contained a command line injection vulnerability that allowed authenticated users to escape a restricted shell meant for debugging purposes.

This issue was identified through analysis of the router's custom httpd binary which contained a hidden configuration option that enabled telnet. The configuration option could be set by submitting specially-crafted GET requests to arbitrary endpoints on the router:

a=set&x=Device.X_BROADCOM_COM_AppCfg.TelnetdCfg.&Enable=1

The command line injection is triggered by simply running the kill command in the manufacturer's custom telnet interface. The vulnerability is due to unsanitized user input being executed. The router manufacturers did not intend for their custom telnet management interface to run arbitrary system commands.

Here is an example of a maliciously crafted command:

> kill 9999; ls
kill: can't kill pid 9999: No such process
bin
bootfs
ctcap
...omitted for brevity...