Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-50919

Published: 12/01/2024 Updated: 24/01/2024
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Gl-ax1800 Firmware

Vulnerability Summary

An issue exists on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.

Vulnerable Product Search on Vulmon Subscribe to Product

gl-inet gl-ax1800_firmware 4.3.7

gl-inet gl-ax1800_firmware 4.4.6

gl-inet gl-axt1800_firmware 4.3.7

gl-inet gl-axt1800_firmware 4.4.6

gl-inet gl-mt3000_firmware 4.3.7

gl-inet gl-mt3000_firmware 4.4.6

gl-inet gl-mt2500_firmware 4.3.7

gl-inet gl-mt2500_firmware 4.4.6

gl-inet gl-mt6000_firmware 4.3.7

gl-inet gl-mt6000_firmware 4.4.6

gl-inet gl-mt1300_firmware 4.3.7

gl-inet gl-mt1300_firmware 4.4.6

gl-inet gl-mt300n-v2_firmware 4.3.7

gl-inet gl-mt300n-v2_firmware 4.4.6

gl-inet gl-ar750s_firmware 4.3.7

gl-inet gl-ar750s_firmware 4.4.6

gl-inet gl-ar750_firmware 4.3.7

gl-inet gl-ar750_firmware 4.4.6

gl-inet gl-ar300m_firmware 4.3.7

gl-inet gl-ar300m_firmware 4.4.6

gl-inet gl-b1300_firmware 4.3.7

gl-inet gl-b1300_firmware 4.4.6

gl-inet gl-a1300_firmware 4.3.7

gl-inet gl-a1300_firmware 4.4.6

Vendor Advisories

Check Point Security Alerts: GL.iNet Devices SQL Injection (CVE-2023-50919)
Check Point Reference: CPAI-2023-1564 Date Published: 29 Feb 2024 Severity: Critical ...

Exploits

Exploit DB: GL.iNet Unauthenticated Remote Command Execution
A command injection vulnerability exists in multiple GLiNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the gl_system_log and gl_crash_log interface in the logread module This Metasploit exploit requires post-authentication using the Admin-Token cookie/sessionID (SID), typically sto ...
Exploit DB: GL.iNet Unauthenticated Remote Command Execution via the logread module.
A command injection vulnerability exists in multiple GLiNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module This exploit requires post-authentication using the `Admin-Token` cookie/ses ...

Metasploit Modules

GL.iNet Unauthenticated Remote Command Execution via the logread module.

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module. This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be retrieved without knowing a valid username and password. The following GL.iNet network products are vulnerable: - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0; - MT6000: v4.5.0 - v4.5.3; - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7; - E750/E750V2, MV1000: v4.3.8; - X3000: v4.0.0 - v4.4.2; - XE3000: v4.0.0 - v4.4.3; - SFT1200: v4.3.6; - and potentially others (just try ;-) NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper target.

msf > use exploit/linux/http/glinet_unauth_rce_cve_2023_50445
msf exploit(glinet_unauth_rce_cve_2023_50445) > show targets
    ...targets...
msf exploit(glinet_unauth_rce_cve_2023_50445) > set TARGET < target-id >
msf exploit(glinet_unauth_rce_cve_2023_50445) > show options
    ...show and set options...
msf exploit(glinet_unauth_rce_cve_2023_50445) > exploit

References

CWE-287https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.mdhttp://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://nvd.nist.govhttps://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://www.rapid7.com/db/modules/exploit/linux/http/glinet_unauth_rce_cve_2023_50445/https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2023-1564.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook