Enviar #825212: GL.iNet GL-MT3000 4.4.5 Command Injectioninformación

TítuloGL.iNet GL-MT3000 4.4.5 Command Injection
DescripciónAn authenticated command injection vulnerability exists in the minidlna service of the affected product. The `/rpc` endpoint allows an authenticated admin to write arbitrary values to UCI `minidlna.config.db_dir` via `uci.set`, because the rpcd ACL grants global `uci.set` permission to the `luci-base` scope without per-package restrictions. The init script then echoes the UCI value verbatim into `/var/etc/minidlna.conf` with no shell quoting. When `minidlnad` (running as root with `user=root`) reads this configuration, it passes the `db_dir` value through `realpath()`, which fails for non-existent paths containing shell metacharacters and falls back to the raw payload. The raw string is then passed unsanitized into `snprintf(buf, "rm -rf %s/files.db %s/art_cache", db_dir, db_dir)` followed by `system(buf)`, resulting in root command execution. The reported vulnerable flow is: Authenticated attacker -> POST /rpc login → session with luci-base scope -> POST /rpc uci.set(config="minidlna", section="config", values={ enabled: 1, user: "root", db_dir: "/tmp/x; <cmd> > /tmp/out 2>&1; #" }) // rpcd ACL luci-base.json: write.ubus.uci = ["set"] — global, no per-package isolation // uci.set stores value as-is, no content validation -> POST /rpc uci.apply() UCI committed → /etc/config/minidlna -> POST /rpc ubus.call(luci, setInitAction, {name:"minidlna", action:"restart"}) triggers /etc/init.d/minidlna restart -> /etc/init.d/minidlna: minidlna_cfg_addstr() → config_get + echo "$key=$val" // line 31: echo "db_dir=/tmp/x; <cmd> > /tmp/out 2>&1; #" // NO shell quoting — raw payload written to /var/etc/minidlna.conf -> minidlnad (root, because user=root): sub_411F74 reads /var/etc/minidlna.conf → strchr(line, '=') splits key=value → dispatch table lookup: "db_dir" → type 13 → strncpy copies value into parsed config array // NO sanitization — shell metacharacters preserved sub_406D14 switch case 0x0D: → realpath(payload, resolved) → NULL (path doesn't exist) → fallback: path = raw_payload // ???? raw payload used directly! → sub_40682C(&path_, path, 0x400) // stored in global sub_4069E8: → snprintf(buf, "rm -rf %s/files.db %s/art_cache", path_, path_) → system(buf) → /bin/sh -c "rm -rf /tmp/x; <cmd> > /tmp/out 2>&1; #/files.db ..." ---------- ------ ------------------ ------------------ no-op RCE shell redirect commented out
Fuente⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/minidlna_db_dir_uci_rce
Usuario
 strforexc (UID 94617)
Sumisión2026-05-11 05:18 (hace 27 días)
Moderación2026-06-06 12:33 (26 days later)
EstadoAceptado
Entrada de VulDB369068 [GL.iNet GL-MT3000 hasta 4.4.5 Minidlna Service /rpc realpath kube. set escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!