CVE-2023-46455
published 2023-12-12CVE-2023-46455: In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload…
PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
46.97%
98.7th percentile
In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gl-inet | gl-ar300m_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to the /upload endpoint on GL.iNet devices, particularly multipart form-data submissions containing a 'path' field with path traversal sequences (e.g., '../') targeting locations outside /tmp. ↗
- →Detect the exploit by looking for multipart form-data POST requests to /upload with the specific boundary value '---------------------------81419250823331111993422505835' in the Content-Type header. ↗
- →Alert on HTTP 200 responses from GL.iNet /upload endpoint containing the string 'File uploaded successfully', which confirms successful exploitation of the path traversal file write. ↗
- →The vulnerability is in the OpenVPN client file upload functionality; inspect multipart form fields 'sid', 'size', 'path', and 'file' for anomalous path values indicating traversal attempts. ↗
- →Use Shodan or passive DNS to identify exposed GL.iNet admin panels as potential targets; the query 'title:"GL.iNet Admin Panel"' surfaces vulnerable devices. ↗
- ·The vulnerability affects GL.iNet GL-AR300M routers specifically on firmware version 4.3.7; devices on earlier versions may also be affected per the Nuclei template scope of '<= 4.3.7'. ↗
- ·The exploit is described as unauthenticated (PR:N in CVSS), meaning no prior authentication is required to reach the /upload endpoint and write arbitrary files. ↗
- ·The Nuclei template uses an auth_token variable, suggesting some deployments may require a session ID (sid) field in the multipart body; the token may be obtainable without credentials or via a separate unauthenticated step. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
exploitdb·2024-03-03·CVSS 7.5
CVE-2023-46455 [HIGH] GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
---
#!/usr/bin/env python3
# Exploit Title: GL.iNet '.format(argv[0]))
exit(1)
main(argv[1], argv[2])
Nuclei
GL.iNet <= 4.3.7 - Arbitrary File Write
nuclei·CVSS 7.5
CVE-2023-46455 [HIGH] GL.iNet <= 4.3.7 - Arbitrary File Write
GL.iNet <= 4.3.7 - Arbitrary File Write
GL.iNet <= 4.3.7 is vulnerable to an arbitrary file write exploit, allowing an attacker to overwrite arbitrary system files.
Template:
id: CVE-2023-46455
info:
name: GL.iNet <= 4.3.7 - Arbitrary File Write
author: Zierax
severity: high
description: |
GL.iNet <= 4.3.7 is vulnerable to an arbitrary file write exploit, allowing an attacker to overwrite arbitrary system files.
impact: |
Unauthenticated attackers can overwrite arbitrary system files, potentially compromising the device configuration and enabling persistent access.
remediation: |
Upgrade GL.iNet devices to firmware version 4.3.8 or later.
reference:
- https://github.com/cyberaz0r/GL.iNet-Multiple-Vulnerabilities/blob/main/CVE-2023-46455.py
- https://nvd.nist.gov/vuln/detail/CVE-2023-46
No writeups or analysis indexed.
2023-12-12
Published