제출 #820049: GL.iNet MT3000 4.4.5 Command Injection정보

제목	GL.iNet MT3000 4.4.5 Command Injection
설명	An authenticated configuration injection vulnerability exists in the OpenVPN client import workflow of the affected product. An attacker with admin credentials can upload a malicious .ovpn configuration file through the /upload endpoint. The file content is not validated for dangerous OpenVPN directives. When the imported configuration is later loaded by ovpnclient.sh, a sed filter only strips 4 directives (daemon, dev, dev-type, tun-mtu), leaving 200+ OpenVPN directives intact. Since the OpenVPN process is launched with --script-security 3 as root, an attacker can inject directives such as writepid, up, down, tls-verify, and client-connect to achieve arbitrary file creation or root command execution. The reported vulnerable flow is: Authenticated user -> POST /upload (multipart with sid, path=/tmp/ovpn_upload/<name>.ovpn, file=<malicious .ovpn>) -> oui-upload.lua checks path allowlist only, does NOT inspect file content -> file written to /tmp/ovpn_upload/<name>.ovpn -> POST /rpc calls ovpn-client.check_config(filename=<name>.ovpn) -> ovpn-client.so reads the file, validates format only, does NOT check for dangerous directives -> POST /rpc calls ovpn-client.confirm_config(group_id=...) -> ovpn-client.so writes UCI entry: option path '/tmp/ovpn_upload/<name>.ovpn' -> POST /rpc calls ovpn-client.start(group_id=..., client_id=...) -> netifd reads UCI, calls ovpnclient.sh -> ovpnclient.sh:50 applies sed filter (only removes 4 directives) -> writepid / up / down / tls-verify etc. pass through untouched -> ovpnclient.sh:66 launches: /usr/sbin/openvpn --script-security 3 --config <filtered file> -> OpenVPN processes injected directives as root -> arbitrary file creation (writepid) or command execution (up/down/tls-verify)
원천	⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
사용자	strforexc (UID 94617)
제출	2026. 05. 06. AM 09:34 (1 월 ago)
모더레이션	2026. 06. 05. PM 08:26 (1 month later)
상태	수락
VulDB 항목	368966 [GL.iNet MT3000 까지 4.4.5 OpenVPN Client Import Workflow ovpnclient.sh 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Interested in the pricing of exploits?

See the underground prices here!