A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Overview - All GL.iNET devices running firmware <= 3.215 are vulnerable to arbitrary file write, where an empty file can be created anywhere on the filesystem. This is due to a command injection vulnerability with a filter applied. Example request below:
POST /api/internet/ping HTTP/1.1
Host: 192.168.8.1
Authorization: 80dafe40822e4a59b6daabd659617963
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 30
ping_addr=127.0.0.1+>/tmp/test
Description
The API endpoint /api/internet/ping takes a ping_addr parameter, and piped it into the command ping %s -c4 > /tmp/ping_result 2>&1.
Since firmware 3.215, all string parameters are checked to determine if shell injection characters (like ; or | are being used), and any API requests with those special characters are immediately blocked. This check was implemented in response to CVE-2022-31898. These characters include ;, |, &, (, ), $, and the backtick char. However, the > and < signs are not, hence allowing us this behavior. In addition, the - character is not prohibited, allowing us to add in special ping arguments. However, extra ping arguments don't really allow us much more control over the system.
Note that this can also be used to overwrite existing files. For example, the payload 127.0.0.1+>/etc/shadow would overwrite the /etc/shadow binary, bricking the system.
Steps to reproduce - run the Proof of Concept below using python3 exploit.py <domain/IP> <authtoken> </path/to/file>, such as python3 exploit.py 192.168.8.1 80dafe40822e4a59b6daabd659617963 /tmp/arbitrary_file_write