| Título | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| Descrição | An authenticated command injection vulnerability exists in the `iwinfo.scan` ubus RPC method of the affected product. The `iwinfo.so` plugin exposed by rpcd accepts a `device` parameter that undergoes only blobmsg type validation (BLOBMSG_TYPE_STRING). The raw parameter is passed through `iwinfo_backend()` into `libiwinfo.so`, where the MTK backend probe uses `strstr()` substring matching to select the backend, but the device remapping logic inside the MTK scan function uses `strcmp()` exact matching. An attacker can craft a device string that passes the substring probe but fails the exact remap, causing the raw payload to flow directly into `sprintf(buf, "iwpriv %s set SiteSurvey=", device)` followed by `system(buf)`, resulting in root command execution. |
|---|
| Fonte | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/iwinfo_scan_ubus_rce |
|---|
| Utilizador | strforexc (UID 94617) |
|---|
| Submissão | 10/05/2026 15h55 (há 1 mês) |
|---|
| Moderação | 06/06/2026 12h33 (27 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 369067 [GL.iNet GL-MT3000 até 4.4.5 MTK Backend iwinfo.so iwinfo_backend device Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|