CVE-2023-50922
📋 TL;DR
This vulnerability allows attackers who steal the AdminToken cookie to upload malicious crontab files to GL.iNet devices, leading to arbitrary code execution. It affects multiple GL.iNet router models running firmware versions up to 4.5.0. Attackers can achieve remote code execution by exploiting this file upload vulnerability.
💻 Affected Systems
- GL.iNet A1300
- GL.iNet AX1800
- GL.iNet AXT1800
- GL.iNet MT3000
- GL.iNet MT2500
- GL.iNet MT6000
- GL.iNet MT1300
- GL.iNet MT300N-V2
- GL.iNet AR750S
- GL.iNet AR750
- GL.iNet AR300M
- GL.iNet B1300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, and use the device for botnet activities.
Likely Case
Attackers gain root access to the router, enabling them to modify DNS settings, intercept credentials, and deploy additional malware.
If Mitigated
Limited impact if proper network segmentation, strong authentication, and monitoring are in place to detect cookie theft attempts.
🎯 Exploit Status
Exploitation requires stolen AdminToken cookie first, but once obtained, the file upload and code execution is straightforward. Public proof-of-concept exists in the GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.5.0
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Remote%20code%20execution%20due%20to%20gl_crontabs.md
Restart Required: Yes
Instructions:
1. Log into GL.iNet admin interface. 2. Navigate to System > Upgrade. 3. Check for firmware updates. 4. Download and install latest firmware version (post 4.5.0). 5. Reboot device after installation completes.
🔧 Temporary Workarounds
Disable remote admin access
allPrevent external attackers from accessing admin interface by disabling remote administration
Navigate to System > Administration > Remote Access and disable
Implement strong cookie security
allUse HTTPS only, implement HttpOnly and Secure flags for cookies, and regularly rotate admin sessions
🧯 If You Can't Patch
- Isolate affected devices in separate VLANs with strict firewall rules limiting outbound connections
- Implement network monitoring for unusual file uploads to /etc/crontabs/ directory and unexpected cron job executions
🔍 How to Verify
Check if Vulnerable:
Check firmware version in admin interface under System > Status. If version is 4.5.0 or earlier of affected models, device is vulnerable.Check Version:
ssh admin@router-ip 'cat /etc/glversion' or check via web interfaceVerify Fix Applied:
Verify firmware version is updated to version after 4.5.0. Test by attempting to upload a file to /etc/crontabs/ directory - should be blocked.📡 Detection & Monitoring
Log Indicators:
- File uploads to /etc/crontabs/ directory
- Unexpected cron job executions
- AdminToken cookie usage from unusual IP addresses
Network Indicators:
- HTTP POST requests to file upload endpoints with crontab content
- Outbound connections from router to unexpected destinations
SIEM Query:
source="router-logs" AND (path="/etc/crontabs/*" OR process="crond") AND action="upload" OR action="execute"