module
GL.iNet Unauthenticated Remote Command Execution via the logread module.
| Disclosed | Created |
|---|---|
| 2023-12-10 | 2024-01-24 |
Disclosed
2023-12-10
Created
2024-01-24
Description
A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker
to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`
interface in the `logread` module.
This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen
by the attacker.
However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication
through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be
retrieved without knowing a valid username and password.
The following GL.iNet network products are vulnerable:
- A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 - MT6000: v4.5.0 - v4.5.3;
- MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;
- E750/E750V2, MV1000: v4.3.8;
- X3000: v4.0.0 - v4.4.2;
- XE3000: v4.0.0 - v4.4.3;
- SFT1200: v4.3.6;
- and potentially others (just try ;-)
NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads
when using the Linux Dropper target.
to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`
interface in the `logread` module.
This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen
by the attacker.
However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication
through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be
retrieved without knowing a valid username and password.
The following GL.iNet network products are vulnerable:
- A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 - MT6000: v4.5.0 - v4.5.3;
- MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;
- E750/E750V2, MV1000: v4.3.8;
- X3000: v4.0.0 - v4.4.2;
- XE3000: v4.0.0 - v4.4.3;
- SFT1200: v4.3.6;
- and potentially others (just try ;-)
NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads
when using the Linux Dropper target.
Authors
h00die-gr3y h00die.gr3y@gmail.com
Unknown
DZONERZY
Unknown
DZONERZY
Platform
Linux,Unix
Architectures
cmd, mipsle, mipsbe, armle, aarch64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.