提出 #820049: GL.iNet MT3000 4.4.5 Command Injection情報

タイトル	GL.iNet MT3000 4.4.5 Command Injection
説明	An authenticated configuration injection vulnerability exists in the OpenVPN client import workflow of the affected product. An attacker with admin credentials can upload a malicious .ovpn configuration file through the /upload endpoint. The file content is not validated for dangerous OpenVPN directives. When the imported configuration is later loaded by ovpnclient.sh, a sed filter only strips 4 directives (daemon, dev, dev-type, tun-mtu), leaving 200+ OpenVPN directives intact. Since the OpenVPN process is launched with --script-security 3 as root, an attacker can inject directives such as writepid, up, down, tls-verify, and client-connect to achieve arbitrary file creation or root command execution. The reported vulnerable flow is: Authenticated user -> POST /upload (multipart with sid, path=/tmp/ovpn_upload/<name>.ovpn, file=<malicious .ovpn>) -> oui-upload.lua checks path allowlist only, does NOT inspect file content -> file written to /tmp/ovpn_upload/<name>.ovpn -> POST /rpc calls ovpn-client.check_config(filename=<name>.ovpn) -> ovpn-client.so reads the file, validates format only, does NOT check for dangerous directives -> POST /rpc calls ovpn-client.confirm_config(group_id=...) -> ovpn-client.so writes UCI entry: option path '/tmp/ovpn_upload/<name>.ovpn' -> POST /rpc calls ovpn-client.start(group_id=..., client_id=...) -> netifd reads UCI, calls ovpnclient.sh -> ovpnclient.sh:50 applies sed filter (only removes 4 directives) -> writepid / up / down / tls-verify etc. pass through untouched -> ovpnclient.sh:66 launches: /usr/sbin/openvpn --script-security 3 --config <filtered file> -> OpenVPN processes injected directives as root -> arbitrary file creation (writepid) or command execution (up/down/tls-verify)
ソース	⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
ユーザー	strforexc (UID 94617)
送信	2026年05月06日 09:34 (1 月 ago)
モデレーション	2026年06月05日 20:26 (1 month later)
ステータス	承諾済み
VulDBエントリ	368966 [GL.iNet MT3000 迄 4.4.5 OpenVPN Client Import Workflow ovpnclient.sh 特権昇格]
ポイント	20

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!