Overview - All GL.iNET devices running firmware <= 3.215 are vulnerable to arbitrary file write, where an empty file can be created anywhere on the filesystem. This is due to a command injection vulnerability with a filter applied. Example request below:
1 2 3 4 5 6 7 8
POST /api/internet/ping HTTP/1.1 Host: 192.168.8.1 Authorization: 80dafe40822e4a59b6daabd659617963 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 30
ping_addr=127.0.0.1+>/tmp/test
Description
The API endpoint /api/internet/ping takes a ping_addr parameter, and piped it into the command ping %s -c4 > /tmp/ping_result 2>&1.
Since firmware 3.215, all string parameters are checked to determine if shell injection characters (like ; or | are being used), and any API requests with those special characters are immediately blocked. This check was implemented in response to CVE-2022-31898. These characters include ;, |, &, (, ), $, and the backtick char. However, the > and < signs are not, hence allowing us this behavior. In addition, the - character is not prohibited, allowing us to add in special ping arguments. However, extra ping arguments don’t really allow us much more control over the system.
Note that this can also be used to overwrite existing files. For example, the payload 127.0.0.1+>/etc/shadow would overwrite the /etc/shadow binary, bricking the system.
Steps to reproduce - run the Proof of Concept below using python3 exploit.py <domain/IP> <authtoken> </path/to/file>, such as python3 exploit.py 192.168.8.1 80dafe40822e4a59b6daabd659617963 /tmp/arbitrary_file_write
Fix
This was fixed in 3.216 by filtering out all > characters.