CVE-2023-50922 in A1300info

Summary

by MITRE • 01/03/2024

An issue was discovered on GL.iNet devices through 4.5.0. Attackers who are able to steal the AdminToken cookie can execute arbitrary code by uploading a crontab-formatted file to a specific directory and waiting for its execution. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/03/2025

This vulnerability represents a critical privilege escalation and remote code execution flaw affecting multiple GL.iNet router models including A1300, AX1800, MT3000, and several others up to version 4.5.0. The issue stems from inadequate session management and insufficient input validation in the device's web interface authentication mechanism. Attackers who can obtain the AdminToken cookie, typically through session hijacking or other credential theft techniques, can leverage this weakness to gain administrative access and subsequently execute arbitrary code on the affected devices. The vulnerability specifically targets the device's cron job execution system, allowing attackers to upload malicious crontab-formatted files to designated directories and wait for scheduled execution.

The technical implementation of this flaw involves the exploitation of a path traversal vulnerability combined with improper access controls. When an attacker uploads a malicious crontab file to a specific directory, the device's cron daemon executes this file without proper validation of its contents or source. This creates a persistent backdoor mechanism that allows attackers to maintain long-term access to the network infrastructure. The vulnerability is particularly dangerous because it requires minimal privileges to exploit - once an attacker obtains the AdminToken cookie, they can execute commands with administrative privileges. The affected devices typically run embedded Linux systems with standard cron scheduling capabilities, making this attack vector particularly effective.

From an operational perspective, this vulnerability poses significant risks to network security and infrastructure integrity. The affected devices are commonly deployed in residential and small office environments, making them attractive targets for attackers seeking to establish persistent access points within networks. The exploitation process is relatively straightforward and can be automated, allowing attackers to quickly compromise multiple devices in a network. This vulnerability directly impacts the confidentiality, integrity, and availability of network services, as attackers can modify device configurations, exfiltrate data, or use the compromised devices as launching points for further attacks. The impact extends beyond individual device compromise to potentially affect entire network infrastructures, particularly when these devices serve as gateways or routers.

The security implications align with CWE-285 (Improper Authorization) and CWE-78 (Improper Neutralization of Special Elements used in OS Command Execution) categories, demonstrating how weak session management combined with inadequate input validation creates dangerous attack surfaces. This vulnerability also maps to ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) and T1543.003 (Create or Modify System Process: Cron) in the adversary tactics and techniques framework. Organizations should implement immediate mitigations including disabling unnecessary cron job functionality, implementing strict access controls, and monitoring for unauthorized crontab file uploads. Network segmentation and firewall rules can help limit the potential impact of exploitation, while regular firmware updates and security patches should be prioritized to address this vulnerability in affected GL.iNet devices.

Reservation

12/15/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00861

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!