إرسال #820049: GL.iNet MT3000 4.4.5 Command Injectionالمعلومات

عنوانGL.iNet MT3000 4.4.5 Command Injection
الوصفAn authenticated configuration injection vulnerability exists in the OpenVPN client import workflow of the affected product. An attacker with admin credentials can upload a malicious .ovpn configuration file through the /upload endpoint. The file content is not validated for dangerous OpenVPN directives. When the imported configuration is later loaded by ovpnclient.sh, a sed filter only strips 4 directives (daemon, dev, dev-type, tun-mtu), leaving 200+ OpenVPN directives intact. Since the OpenVPN process is launched with --script-security 3 as root, an attacker can inject directives such as writepid, up, down, tls-verify, and client-connect to achieve arbitrary file creation or root command execution. The reported vulnerable flow is: Authenticated user -> POST /upload (multipart with sid, path=/tmp/ovpn_upload/<name>.ovpn, file=<malicious .ovpn>) -> oui-upload.lua checks path allowlist only, does NOT inspect file content -> file written to /tmp/ovpn_upload/<name>.ovpn -> POST /rpc calls ovpn-client.check_config(filename=<name>.ovpn) -> ovpn-client.so reads the file, validates format only, does NOT check for dangerous directives -> POST /rpc calls ovpn-client.confirm_config(group_id=...) -> ovpn-client.so writes UCI entry: option path '/tmp/ovpn_upload/<name>.ovpn' -> POST /rpc calls ovpn-client.start(group_id=..., client_id=...) -> netifd reads UCI, calls ovpnclient.sh -> ovpnclient.sh:50 applies sed filter (only removes 4 directives) -> writepid / up / down / tls-verify etc. pass through untouched -> ovpnclient.sh:66 launches: /usr/sbin/openvpn --script-security 3 --config <filtered file> -> OpenVPN processes injected directives as root -> arbitrary file creation (writepid) or command execution (up/down/tls-verify)
المصدر⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
المستخدم
 strforexc (UID 94617)
ارسال06/05/2026 09:34 AM (1 شهر منذ)
الاعتدال05/06/2026 08:26 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB368966 [GL.iNet MT3000 حتى 4.4.5 OpenVPN Client Import Workflow ovpnclient.sh تجاوز الصلاحيات]
النقاط20

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!