Remote Command Execution on GL.iNet's mini-routers

Preparation

Product: GL-AR300M

Firmware version: 2.27

Command Injection

Hijack HTTP Request

The first time we start the device and login the web interface. Let's set the language and the timezone.

Using Fiddle tool to capture the HTTP request:

When we perform this action the login_cgi script takes the content of the timezone parameter and inserts it into the /tmp/TZ file:

Request Forgery

login_cgi

If we try to insert a value not present in the list of timezones, the script blocks us:

We can bypass this and write on TZ file what we want, using this payload:

Replace the payload with:

So I can execute the command. On my remote machine, I am listening the port "12345" via nc -lvp 12345. Now, let's replace the payload with netcat.

For now, I have got the router's shell on my remote machine.

download_file and storage_cgi

The device allows to share on the net the files present inside a storage usb devie and to download them. If we try to download /etc/passwd, the webserver responde with Access Denied, we can bypass it.

Patch of Security Vulnerability

You can apply the Patch of Security Vulnerability.

PreviousOpenWRT系统Next配置DTS支持USB存储

Last updated

Was this helpful?