Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
1 contributor

Users who have contributed to this file

CVE: CVE-2023-29778
Version: 4.1.0
Firmware type: Release2
Compile time: 2022-11-03 9:47:27 (UTC+8:00)
Vendor: GL.iNET
Router Model: MT3000
Description: Command Injection in "logread" RPC Requests, the injection can occur when the get_nginx_log type is called


image

The following OS Command Injections vulnerabilities stem from the vulnerable code in /usr/lib/oui-httpd/rpc/logread. The injection can occur when the get_nginx_log type is called.

image

To perform a command injection through the parameter %s which is where the input for the type value is passed, an attacker would need to supply crafted values that are executed by a Linux binary. As seen below the ; delimiter character is used followed by the cat binary to output the contents of the /etc/passwd file as seen below.

image