GL.iNet GL-AX1800 Authentication Bypass Vulnerability Allowing Remote Code Execution

A critical authentication bypass vulnerability has been identified in GL.iNet GL-AXT1800 (Slate AX) router firmware versions 4.6.4 and 4.6.8. The vulnerability resides in the LuCI web interface's authentication endpoint, which lacks rate limiting, CAPTCHA, and account lockout mechanisms. This allows an unauthenticated attacker on the local network to perform unlimited brute-force attacks on admin credentials, potentially leading to full administrative access. This vulnerability can be chained with an authenticated command injection issue to achieve remote code execution (RCE) without initial authentication.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access to the router, enabling the attacker to modify settings, such as Wi-Fi configurations and firewall rules, and access sensitive information, including connected device details and network traffic. When combined with the authenticated command injection vulnerability, it results in full system compromise, including unauthorized configuration changes, data exposure, and network infiltration.

Reproduction

The vulnerability can be reproduced by sending repeated POST requests to the authentication endpoint with the 'luci_username' and 'luci_password' parameters. This can be automated with a Python script using a wordlist, achieving high-speed attempts on a local network. Once authenticated, the command injection vulnerability can be exploited to execute arbitrary commands with root privileges, leading to remote code execution.

Remediation

Users are advised to update their firmware to the latest version, replace default or weak passwords with strong, unique ones, and disable WAN access to the admin interface. Implementing network controls to limit local access to the router's admin ports and monitoring router logs for failed login attempts can also help mitigate the risk. GL.iNet should add rate limiting, CAPTCHA, and temporary lockouts to the authentication endpoint.