Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2023-50919

Published: 12/01/2024 Updated: 24/01/2024
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0

Vulnerability Summary

An issue exists on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.

Vulnerable Product Search on Vulmon Subscribe to Product

gl-inet gl-ax1800 firmware 4.3.7

gl-inet gl-ax1800 firmware 4.4.6

gl-inet gl-axt1800 firmware 4.3.7

gl-inet gl-axt1800 firmware 4.4.6

gl-inet gl-mt3000 firmware 4.3.7

gl-inet gl-mt3000 firmware 4.4.6

gl-inet gl-mt2500 firmware 4.3.7

gl-inet gl-mt2500 firmware 4.4.6

gl-inet gl-mt6000 firmware 4.3.7

gl-inet gl-mt6000 firmware 4.4.6

gl-inet gl-mt1300 firmware 4.3.7

gl-inet gl-mt1300 firmware 4.4.6

gl-inet gl-mt300n-v2 firmware 4.3.7

gl-inet gl-mt300n-v2 firmware 4.4.6

gl-inet gl-ar750s firmware 4.3.7

gl-inet gl-ar750s firmware 4.4.6

gl-inet gl-ar750 firmware 4.3.7

gl-inet gl-ar750 firmware 4.4.6

gl-inet gl-ar300m firmware 4.3.7

gl-inet gl-ar300m firmware 4.4.6

gl-inet gl-b1300 firmware 4.3.7

gl-inet gl-b1300 firmware 4.4.6

gl-inet gl-a1300 firmware 4.3.7

gl-inet gl-a1300 firmware 4.4.6

Vendor Advisories

Check Point Security Alerts: GL.iNet Devices SQL Injection (CVE-2023-50919)
Check Point Reference: CPAI-2023-1564 Date Published: 29 Feb 2024 Severity: Critical ...

Exploits

Exploit DB: GL.iNet Unauthenticated Remote Command Execution
A command injection vulnerability exists in multiple GLiNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the gl_system_log and gl_crash_log interface in the logread module This Metasploit exploit requires post-authentication using the Admin-Token cookie/sessionID (SID), typically sto ...
Exploit DB: GL.iNet Unauthenticated Remote Command Execution via the logread module.
A command injection vulnerability exists in multiple GLiNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module This exploit requires post-authentication using the `Admin-Token` cookie/ses ...

Metasploit Modules

GL.iNet Unauthenticated Remote Command Execution via the logread module.

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module. This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be retrieved without knowing a valid username and password. The following GL.iNet network products are vulnerable: - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0; - MT6000: v4.5.0 - v4.5.3; - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7; - E750/E750V2, MV1000: v4.3.8; - X3000: v4.0.0 - v4.4.2; - XE3000: v4.0.0 - v4.4.3; - SFT1200: v4.3.6; - and potentially others (just try ;-) NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper target.

msf > use exploit/linux/http/glinet_unauth_rce_cve_2023_50445
msf exploit(glinet_unauth_rce_cve_2023_50445) > show targets
    ...targets...
msf exploit(glinet_unauth_rce_cve_2023_50445) > set TARGET < target-id >
msf exploit(glinet_unauth_rce_cve_2023_50445) > show options
    ...show and set options...
msf exploit(glinet_unauth_rce_cve_2023_50445) > exploit

References

CWE-287https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.mdhttp://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://nvd.nist.govhttps://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://www.rapid7.com/db/modules/exploit/linux/http/glinet_unauth_rce_cve_2023_50445/https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2023-1564.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-38627CVE-2022-45803CVE-2024-38319cameratemplate injectionCVE-2024-27801CVE-2024-0762CVE-2024-5791unauthorized
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook