| Title | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| Description | An unauthenticated command injection vulnerability exists in the `/cgi-bin/glc` endpoint of the affected product. The `glc` CGI binary loads shared object plugins from `/usr/lib/oui-httpd/rpc/` via `dlopen()` and dispatches any exported function via `dlsym()`, with no authentication or method allowlist. The `nas-web.so` plugin exports the internal helper function `eject_disk_do1`, which extracts the `dev_name` parameter from the JSON request body and passes it to `disk_remove_do()`. This function first validates the device name by constructing a path via `snprintf(path, 0x40, "/dev/%s", dev_name)` and checking `access()`, then constructs a shell command via `snprintf(cmd, 0x100, "echo \"#remove_dev:%s;\" > ...", dev_name)` and executes it via `system()`. Due to the buffer size mismatch (0x40 vs 0x100) and Linux path normalization of consecutive slashes, an attacker can craft a `dev_name` that passes the `access()` check (appearing as `/dev/null`) while the shell-injected payload in the remaining portion is executed via `/bin/sh -c`. |
|---|
| Source | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/nas_eject_disk_do1_glc_rce |
|---|
| User | strforexc (UID 94617) |
|---|
| Submission | 05/11/2026 15:13 (27 days ago) |
|---|
| Moderation | 06/06/2026 12:33 (26 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369070 [GL.iNet GL-MT3000 4.4.5 Path Normalization /usr/lib/oui-httpd/rpc/ dlopen dev_name command injection] |
|---|
| Points | 20 |
|---|