A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the gl_system_log and gl_crash_log interface in the logread module. This exploit requires post-authentication using the Admin-Token cookie/sessionID (SID), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a Lua string pattern matching and SQL injection vulnerability. The Admin-Token cookie/SID can be retrieved without knowing a valid username and password. The following GL.iNet network products are vulnerable: – A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0; – MT6000: v4.5.0 – v4.5.3; – MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7; – E750/E750V2, MV1000: v4.3.8; – X3000: v4.0.0 – v4.4.2; – XE3000: v4.0.0 – v4.4.3; – SFT1200: v4.3.6; – and potentially others (just try 😉 NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper…Read More