GL.iNet GL-AXT1800 Router Command Injection Vulnerability

A command injection vulnerability has been identified in the GL.iNet GL-AXT1800 router firmware version 4.6.8. The issue arises in the 'plugins.install_package' RPC method, which does not properly sanitize user input in package names. This flaw allows authenticated attackers to execute arbitrary commands with root privileges on the device.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary commands as root on the affected router. This could lead to full control over the device, including unauthorized changes to configurations, exposure of sensitive data such as Wi-Fi credentials and connected device information, and interception of network traffic. Additionally, this vulnerability could be exploited to install backdoors or malware, facilitating lateral movement within connected networks.

Reproduction

To reproduce this vulnerability, an authenticated attacker can send a crafted JSON-RPC request to the '/rpc' endpoint, specifically targeting the 'plugins.install_package' method. The package name parameter can be manipulated to include injected commands, which will be executed on the device with root privileges. This exploitation requires a valid session token to authenticate the request.

Remediation

GL.iNet has acknowledged this vulnerability and should be contacted for a firmware update. Users can also monitor the GL.iNet security updates page for the latest information.