Submeter #820049: GL.iNet MT3000 4.4.5 Command Injectioninformação

TítuloGL.iNet MT3000 4.4.5 Command Injection
DescriçãoAn authenticated configuration injection vulnerability exists in the OpenVPN client import workflow of the affected product. An attacker with admin credentials can upload a malicious .ovpn configuration file through the /upload endpoint. The file content is not validated for dangerous OpenVPN directives. When the imported configuration is later loaded by ovpnclient.sh, a sed filter only strips 4 directives (daemon, dev, dev-type, tun-mtu), leaving 200+ OpenVPN directives intact. Since the OpenVPN process is launched with --script-security 3 as root, an attacker can inject directives such as writepid, up, down, tls-verify, and client-connect to achieve arbitrary file creation or root command execution. The reported vulnerable flow is: Authenticated user -> POST /upload (multipart with sid, path=/tmp/ovpn_upload/<name>.ovpn, file=<malicious .ovpn>) -> oui-upload.lua checks path allowlist only, does NOT inspect file content -> file written to /tmp/ovpn_upload/<name>.ovpn -> POST /rpc calls ovpn-client.check_config(filename=<name>.ovpn) -> ovpn-client.so reads the file, validates format only, does NOT check for dangerous directives -> POST /rpc calls ovpn-client.confirm_config(group_id=...) -> ovpn-client.so writes UCI entry: option path '/tmp/ovpn_upload/<name>.ovpn' -> POST /rpc calls ovpn-client.start(group_id=..., client_id=...) -> netifd reads UCI, calls ovpnclient.sh -> ovpnclient.sh:50 applies sed filter (only removes 4 directives) -> writepid / up / down / tls-verify etc. pass through untouched -> ovpnclient.sh:66 launches: /usr/sbin/openvpn --script-security 3 --config <filtered file> -> OpenVPN processes injected directives as root -> arbitrary file creation (writepid) or command execution (up/down/tls-verify)
Fonte⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
Utilizador
 strforexc (UID 94617)
Submissão06/05/2026 09h34 (há 1 mês)
Moderação05/06/2026 20h26 (1 month later)
EstadoAceite
Entrada VulDB368966 [GL.iNet MT3000 até 4.4.5 OpenVPN Client Import Workflow ovpnclient.sh Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!