| tiêu đề | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| Mô tả | An authenticated command execution vulnerability exists in the LuCI JSON-RPC interface of the affected product. Although GL.iNet primarily uses its own `/rpc` endpoint (OpenResty-based), nginx still exposes the legacy LuCI CGI path at `/cgi-bin/luci/rpc` via fcgiwrap. The `rpc_sys()` handler clones the entire `luci.sys` module without any method whitelist and passes it to `jsonrpc.handle()`, which uses reflective table lookup (`rawget()`) to dispatch any requested method name to its corresponding function. Since `luci.sys.exec` is aliased to `luci.util.exec`, which calls `io.popen(command)` without sanitization, an attacker who authenticates with the root password can execute arbitrary shell commands as root and receive stdout directly in the JSON-RPC response. |
|---|
| Nguồn | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/luci_rpc_sys_exec_rce |
|---|
| Người dùng | strforexc (UID 94617) |
|---|
| Đệ trình | 11/05/2026 09:34 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 06/06/2026 12:33 (26 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 369069 [GL.iNet GL-MT3000 4.4.5 LuCI JSON-RPC Interface /cgi-bin/luci/rpc rpc_sys nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|