Missing Access Controls and Path Traversal in Various GL.INet Devices

CVE Details

Description:

Due to missing access controls, direct access to the /cgi-bin/glc endpoint is possible via HTTP on the GL-iNet firmware. Additionally, due to an improper input validation inside the glc binary, it is possible to inject path traversal sequences and thus call functions from arbitrary shared objects, potentially leading to arbitrary code execution.

The main function inside the glc binary inside the /www/cgi-bin directory does not properly sanitize the JSON data it gets sent. Thus, it is possible to send a path traversal sequence (i.e., ../) inside the object parameter. The application parses the received JSON and performs the following steps:

1.    Use sprintf() to concatenate the string /usr/lib/oui-http/rpc with the received object value and the string .so.

2.    Perform a dlopen() call to dynamically load the specified library.

3.    Perform a dlsym() call to get the address of the function name specified via the method JSON parameter.

4.    Call the resolved function, providing the args JSON parameter’s value as first argument.

Since the value is taken “as is” in step 1, any arbitrary library can be loaded and any method inside that library can be called. It is, of course, necessary that this function knows how to process the supplied JSON object/struct in order to be useful. So, the exploitability is quite limited in this case.

The missing access controls can be combined with CVE-2024-39226  to gain unauthenticated remote code execution on the GL-iNet devices.

Remediation:

Update firmware to the latest available version, at least to (depending on model):
3.2.18, 4.3.17, 4.4.9, 4.5.17, 4.6.2

References:

• https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Access to the C library without logging in.md
• CVE-2024-39226

Timeline:

2024-05-05: Vulnerability reported to GL-iNet

2024-05-30: Vulnerability was fixed

2024-08-01: GL-iNet published vendor security advisory

2024-08-06: CVE published