GL.iNet Unauthenticated Remote Command Execution via the logread module.

Description

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module. This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be retrieved without knowing a valid username and password. The following GL.iNet network products are vulnerable: - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0; - MT6000: v4.5.0 - v4.5.3; - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7; - E750/E750V2, MV1000: v4.3.8; - X3000: v4.0.0 - v4.4.2; - XE3000: v4.0.0 - v4.4.3; - SFT1200: v4.3.6; - and potentially others (just try ;-) NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper target.

Author(s)

• h00die-gr3y <h00die.gr3y@gmail.com>
• Unknown
• DZONERZY

Platform

Linux,Unix

Architectures

cmd, mipsle, mipsbe, armle, aarch64