CVE-2019-6272 in GL-AR300M-Lite
Summary
by MITRE
Command injection vulnerability in login_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to execute arbitrary code.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/14/2024
The CVE-2019-6272 vulnerability represents a critical command injection flaw within the login_cgi component of GL.iNet GL-AR300M-Lite wireless routers running firmware version 2.27. This vulnerability exists in the web-based administrative interface of the device, specifically in how the login_cgi script processes user input during authentication attempts. The flaw allows remote attackers to inject malicious commands that are subsequently executed on the underlying operating system, effectively providing unauthorized code execution capabilities. The vulnerability stems from inadequate input validation and sanitization within the authentication handler, where user-supplied parameters are directly incorporated into system commands without proper filtering or escaping mechanisms.
The technical implementation of this vulnerability involves the exploitation of the login_cgi script's handling of the username parameter in authentication requests. When an attacker submits a malicious username containing shell metacharacters such as semicolons, ampersands, or command substitution operators, these characters are not properly sanitized before being passed to system commands. This creates a classic command injection scenario where the attacker can append arbitrary commands to the legitimate authentication process. The vulnerability is particularly dangerous because it operates at the administrative level, allowing attackers to execute commands with the privileges of the web server process, which typically runs with elevated system permissions.
From an operational impact perspective, this vulnerability enables remote code execution on affected devices, potentially allowing attackers to gain full administrative control over the router. Attackers can leverage this access to modify network configurations, install malicious firmware, redirect traffic through command and control servers, or use the device as a pivot point for further attacks within the local network. The GL-AR300M-Lite devices are commonly deployed in residential and small office environments, making them attractive targets for attackers seeking to establish persistent access points or conduct network reconnaissance. The vulnerability's remote exploitability means that attackers do not require physical access or local network presence to compromise affected devices.
The security implications extend beyond immediate code execution capabilities, as this vulnerability aligns with multiple ATT&CK framework techniques including T1059 Command and Scripting Interpreter and T1078 Valid Accounts for maintaining persistent access. The vulnerability also corresponds to CWE-77 Command Injection, which is classified as a high-severity weakness in the Common Weakness Enumeration catalog. Organizations should implement immediate mitigations including firmware updates from GL.iNet, network segmentation to isolate affected devices, and monitoring for suspicious authentication attempts or unusual network traffic patterns. Network administrators should also consider implementing intrusion detection systems to identify potential exploitation attempts and establish baseline network behavior for anomaly detection. The vulnerability highlights the critical importance of input validation in web applications and demonstrates how seemingly minor security oversights in authentication components can lead to complete system compromise.