Submit #820049: GL.iNet MT3000 4.4.5 Command Injectioninfo

TitelGL.iNet MT3000 4.4.5 Command Injection
BeschreibungAn authenticated configuration injection vulnerability exists in the OpenVPN client import workflow of the affected product. An attacker with admin credentials can upload a malicious .ovpn configuration file through the /upload endpoint. The file content is not validated for dangerous OpenVPN directives. When the imported configuration is later loaded by ovpnclient.sh, a sed filter only strips 4 directives (daemon, dev, dev-type, tun-mtu), leaving 200+ OpenVPN directives intact. Since the OpenVPN process is launched with --script-security 3 as root, an attacker can inject directives such as writepid, up, down, tls-verify, and client-connect to achieve arbitrary file creation or root command execution. The reported vulnerable flow is: Authenticated user -> POST /upload (multipart with sid, path=/tmp/ovpn_upload/<name>.ovpn, file=<malicious .ovpn>) -> oui-upload.lua checks path allowlist only, does NOT inspect file content -> file written to /tmp/ovpn_upload/<name>.ovpn -> POST /rpc calls ovpn-client.check_config(filename=<name>.ovpn) -> ovpn-client.so reads the file, validates format only, does NOT check for dangerous directives -> POST /rpc calls ovpn-client.confirm_config(group_id=...) -> ovpn-client.so writes UCI entry: option path '/tmp/ovpn_upload/<name>.ovpn' -> POST /rpc calls ovpn-client.start(group_id=..., client_id=...) -> netifd reads UCI, calls ovpnclient.sh -> ovpnclient.sh:50 applies sed filter (only removes 4 directives) -> writepid / up / down / tls-verify etc. pass through untouched -> ovpnclient.sh:66 launches: /usr/sbin/openvpn --script-security 3 --config <filtered file> -> OpenVPN processes injected directives as root -> arbitrary file creation (writepid) or command execution (up/down/tls-verify)
Quelle⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
Benutzer
 strforexc (UID 94617)
Einreichung06.05.2026 09:34 (vor 1 Monat)
Moderieren05.06.2026 20:26 (1 month later)
StatusAkzeptiert
VulDB Eintrag368966 [GL.iNet MT3000 bis 4.4.5 OpenVPN Client Import Workflow ovpnclient.sh erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!