| Título | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| Descripción | An authenticated command injection vulnerability exists in the `iwinfo.scan` ubus RPC method of the affected product. The `iwinfo.so` plugin exposed by rpcd accepts a `device` parameter that undergoes only blobmsg type validation (BLOBMSG_TYPE_STRING). The raw parameter is passed through `iwinfo_backend()` into `libiwinfo.so`, where the MTK backend probe uses `strstr()` substring matching to select the backend, but the device remapping logic inside the MTK scan function uses `strcmp()` exact matching. An attacker can craft a device string that passes the substring probe but fails the exact remap, causing the raw payload to flow directly into `sprintf(buf, "iwpriv %s set SiteSurvey=", device)` followed by `system(buf)`, resulting in root command execution. |
|---|
| Fuente | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/iwinfo_scan_ubus_rce |
|---|
| Usuario | strforexc (UID 94617) |
|---|
| Sumisión | 2026-05-10 15:55 (hace 28 días) |
|---|
| Moderación | 2026-06-06 12:33 (27 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 369067 [GL.iNet GL-MT3000 hasta 4.4.5 MTK Backend iwinfo.so iwinfo_backend device escalada de privilegios] |
|---|
| Puntos | 20 |
|---|