OS Command Injection in Various GL.INet Devices

CVE Details

Description:

Due to a an improper neutralization of special elements used in an OS command inside the s2s API of the GL-iNet firmware, an authenticated attacker can inject and execute arbitrary shell commands, when configuring the echo server.

The enable_echo_server function inside /usr/lib/oui-httpd/rpc/s2s.so performs the following actions:

1.    Parse the supplied JSON and retrieve the string value of the port property.

2.    Use inline atoi() calls to verify that the supplied value is a number between 0 and 65535.

3.    Use an sprintf() call with the mask "%s -p %s -f", the static string /usr/bin/echo_server and the string value received in step 1.

4.    Perform a system() call with the resulting string from step 3.

Since atoi() always attempts to convert the supplied string into a number, by simply removing everything starting from the first non-numeric character, the checks from step 2 can be bypassed, even when the port value contained more than just a number. By specifying a payload that contains shell meta-characters (e.g., $(touch /root/test)), it is possible to inject arbitrary OS commands.

Remediation:

Update firmware to the latest available version, at least to (depending on model): 
3.2.18, 4.3.17, 4.4.9, 4.5.17, 4.6.2

References:

• https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s interface shell injection.md

Timeline:

2024-05-05: Vulnerability reported to GL-iNet

2024-05-30: Vulnerability was fixed

2024-08-01: GL-iNet published vendor security advisory

2024-08-06: CVE published