| عنوان | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| الوصف | An unauthenticated command injection vulnerability exists in the `/cgi-bin/glc` endpoint of the affected product. The `glc` CGI binary loads shared object plugins from `/usr/lib/oui-httpd/rpc/` via `dlopen()` and dispatches any exported function via `dlsym()`, with no authentication or method allowlist. The `nas-web.so` plugin exports the internal helper function `eject_disk_do1`, which extracts the `dev_name` parameter from the JSON request body and passes it to `disk_remove_do()`. This function first validates the device name by constructing a path via `snprintf(path, 0x40, "/dev/%s", dev_name)` and checking `access()`, then constructs a shell command via `snprintf(cmd, 0x100, "echo \"#remove_dev:%s;\" > ...", dev_name)` and executes it via `system()`. Due to the buffer size mismatch (0x40 vs 0x100) and Linux path normalization of consecutive slashes, an attacker can craft a `dev_name` that passes the `access()` check (appearing as `/dev/null`) while the shell-injected payload in the remaining portion is executed via `/bin/sh -c`. |
|---|
| المصدر | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/nas_eject_disk_do1_glc_rce |
|---|
| المستخدم | strforexc (UID 94617) |
|---|
| ارسال | 11/05/2026 03:13 PM (27 أيام منذ) |
|---|
| الاعتدال | 06/06/2026 12:33 PM (26 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 369070 [GL.iNet GL-MT3000 4.4.5 Path Normalization /usr/lib/oui-httpd/rpc/ dlopen dev_name تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|