GL-iNet GL-AR300M16 Command Injection Vulnerability in WireGuard Configuration Handling

A command injection vulnerability has been identified in the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The issue arises in the set_config function, which manages WireGuard server private key parameters. The vulnerability allows attackers to execute arbitrary commands by injecting crafted input into the private_key parameter, which is then executed on the system without any sanitization or validation.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the router's RPC endpoint. Include a JSON-RPC payload that invokes the 'set_config' method for the WireGuard server. In the 'private key' parameter, insert a command injection payload, such as a command to echo text into a file. Ensure that the request headers match those of a legitimate browser request, and include a valid Admin-Token cookie.