| 제목 | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| 설명 | An unauthenticated command injection vulnerability exists in the `/cgi-bin/glc` endpoint of the affected product. The `glc` CGI binary loads shared object plugins from `/usr/lib/oui-httpd/rpc/` via `dlopen()` and dispatches any exported function via `dlsym()`, with no authentication or method allowlist. The `nas-web.so` plugin exports the internal helper function `eject_disk_do1`, which extracts the `dev_name` parameter from the JSON request body and passes it to `disk_remove_do()`. This function first validates the device name by constructing a path via `snprintf(path, 0x40, "/dev/%s", dev_name)` and checking `access()`, then constructs a shell command via `snprintf(cmd, 0x100, "echo \"#remove_dev:%s;\" > ...", dev_name)` and executes it via `system()`. Due to the buffer size mismatch (0x40 vs 0x100) and Linux path normalization of consecutive slashes, an attacker can craft a `dev_name` that passes the `access()` check (appearing as `/dev/null`) while the shell-injected payload in the remaining portion is executed via `/bin/sh -c`. |
|---|
| 원천 | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/nas_eject_disk_do1_glc_rce |
|---|
| 사용자 | strforexc (UID 94617) |
|---|
| 제출 | 2026. 05. 11. PM 03:13 (28 날 ago) |
|---|
| 모더레이션 | 2026. 06. 06. PM 12:33 (26 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 369070 [GL.iNet GL-MT3000 4.4.5 Path Normalization /usr/lib/oui-httpd/rpc/ dlopen dev_name 권한 상승] |
|---|
| 포인트들 | 20 |
|---|