| Titel | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| Beschreibung | An authenticated command injection vulnerability exists in the `iwinfo.scan` ubus RPC method of the affected product. The `iwinfo.so` plugin exposed by rpcd accepts a `device` parameter that undergoes only blobmsg type validation (BLOBMSG_TYPE_STRING). The raw parameter is passed through `iwinfo_backend()` into `libiwinfo.so`, where the MTK backend probe uses `strstr()` substring matching to select the backend, but the device remapping logic inside the MTK scan function uses `strcmp()` exact matching. An attacker can craft a device string that passes the substring probe but fails the exact remap, causing the raw payload to flow directly into `sprintf(buf, "iwpriv %s set SiteSurvey=", device)` followed by `system(buf)`, resulting in root command execution. |
|---|
| Quelle | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/iwinfo_scan_ubus_rce |
|---|
| Benutzer | strforexc (UID 94617) |
|---|
| Einreichung | 10.05.2026 15:55 (vor 28 Tagen) |
|---|
| Moderieren | 06.06.2026 12:33 (27 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 369067 [GL.iNet GL-MT3000 bis 4.4.5 MTK Backend iwinfo.so iwinfo_backend device erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|