CVE-2023-29778

Vulnerability

An OS command injection vulnerability exists in GL.iNET MT3000 routers running firmware version 4.1.0 Release 2 (compile time 2022-11-03). The flaw resides in the /usr/lib/oui-httpd/rpc/logread binary, which handles RPC requests. When the get_nginx_log type is invoked, user-supplied input is passed unsanitized into a shell command via the %s format parameter, allowing injection of arbitrary OS commands [1].

Exploitation

An attacker needs network access to the router's RPC interface, which is exposed by default on the LAN side. No authentication is required. By sending a crafted HTTP RPC request to the logread endpoint with a type value such as ;cat /etc/passwd, the injected command is executed by the underlying Linux shell. The semicolon (;) delimiter terminates the intended command and allows arbitrary subsequent commands to run [1].

Impact

Successful exploitation results in full remote command execution as the root user, leading to complete compromise of the router. An attacker can read, modify, or delete sensitive files, install persistent backdoors, exfiltrate network traffic, and pivot to internal network devices [1].

Mitigation

As of the publication date, no official patch has been released by GL.iNET for this CVE. Users are advised to restrict access to the router's web interface and RPC endpoints, monitor for firmware updates on the vendor's support page, and consider using firewall rules to limit exposure. The device remains vulnerable until a fix is provided [1].