| عنوان | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| الوصف | An authenticated command injection vulnerability exists in the `iwinfo.scan` ubus RPC method of the affected product. The `iwinfo.so` plugin exposed by rpcd accepts a `device` parameter that undergoes only blobmsg type validation (BLOBMSG_TYPE_STRING). The raw parameter is passed through `iwinfo_backend()` into `libiwinfo.so`, where the MTK backend probe uses `strstr()` substring matching to select the backend, but the device remapping logic inside the MTK scan function uses `strcmp()` exact matching. An attacker can craft a device string that passes the substring probe but fails the exact remap, causing the raw payload to flow directly into `sprintf(buf, "iwpriv %s set SiteSurvey=", device)` followed by `system(buf)`, resulting in root command execution. |
|---|
| المصدر | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/iwinfo_scan_ubus_rce |
|---|
| المستخدم | strforexc (UID 94617) |
|---|
| ارسال | 10/05/2026 03:55 PM (29 أيام منذ) |
|---|
| الاعتدال | 06/06/2026 12:33 PM (27 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 369067 [GL.iNet GL-MT3000 حتى 4.4.5 MTK Backend iwinfo.so iwinfo_backend device تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|