Published: 28/12/2023 Updated: 24/01/2024

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 0

Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local malicious users to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gl-inet gl-mt1300 firmware 4.3.7
gl-inet gl-mt300n-v2 firmware 4.3.7
gl-inet gl-ar750s firmware 4.3.7
gl-inet gl-ar750 firmware 4.3.7
gl-inet gl-ar300m firmware 4.3.7
gl-inet gl-b1300 firmware 4.3.7
gl-inet gl-mt6000 firmware 4.5.0
gl-inet gl-a1300 firmware 4.4.6
gl-inet gl-ax1800 firmware 4.4.6
gl-inet gl-axt1800 firmware 4.4.6
gl-inet gl-mt3000 firmware 4.4.6
gl-inet gl-mt2500 firmware 4.4.6

Check Point Reference: CPAI-2023-1563 Date Published: 29 Feb 2024 Severity: High ...

A command injection vulnerability exists in multiple GLiNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the gl_system_log and gl_crash_log interface in the logread module This Metasploit exploit requires post-authentication using the Admin-Token cookie/sessionID (SID), typically sto ...

A command injection vulnerability exists in multiple GLiNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module This exploit requires post-authentication using the `Admin-Token` cookie/ses ...

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module. This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be retrieved without knowing a valid username and password. The following GL.iNet network products are vulnerable: - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0; - MT6000: v4.5.0 - v4.5.3; - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7; - E750/E750V2, MV1000: v4.3.8; - X3000: v4.0.0 - v4.4.2; - XE3000: v4.0.0 - v4.4.3; - SFT1200: v4.3.6; - and potentially others (just try ;-) NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper target.

msf > use exploit/linux/http/glinet_unauth_rce_cve_2023_50445
msf exploit(glinet_unauth_rce_cve_2023_50445) > show targets
    ...targets...
msf exploit(glinet_unauth_rce_cve_2023_50445) > set TARGET < target-id >
msf exploit(glinet_unauth_rce_cve_2023_50445) > show options
    ...show and set options...
msf exploit(glinet_unauth_rce_cve_2023_50445) > exploit

CWE-78 https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html https://nvd.nist.gov https://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html https://www.rapid7.com/db/modules/exploit/linux/http/glinet_unauth_rce_cve_2023_50445/https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2023-1563.html

CVE-2023-50445

Vulnerability Summary

Vendor Advisories

Exploits

Metasploit Modules

References

Vulmon Search

About

Products

Connect