GL-iNet GL-AR300M16 Command Injection Vulnerability in Firmware Upgrade Function

A command injection vulnerability has been identified in the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The issue arises in the set_upgrade function, which improperly sanitizes several parameters, including modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type. This lack of validation allows attackers to inject malicious shell metacharacters, executing arbitrary commands with root privileges. The exploitation could lead to a full system compromise, unauthorized access, data theft, or the installation of a persistent backdoor.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the router's RPC endpoint. The request must include the 'Admin-Token' cookie for authentication. The 'params' field of the request should be populated with the vulnerable parameters, injecting malicious commands into the 'modem_url' parameter. Once the request is sent, the injected command will be executed with root privileges, as demonstrated by the exploitation screenshot.