Summary of GLiNet Router Authentication Bypass Vulnerability Vulnerability Overview This vulnerability originates from the lack of proper authentication checks in the session file. Attackers can bypass the authentication mechanism and obtain root privileges by constructing specific usernames, simultaneously leveraging regular expression injection and SQL injection. Attack Principle: 1. The username is not correctly sanitized before being passed directly to the function. 2. The attacker injects the regular expression to match the root user. 3. Simultaneously, the attacker injects the SQL query to retrieve the root group. 4. Since the root user ID is always 0, the attacker can calculate the correct hash value. Scope of Impact Platform: Hardware (HARDWARE) Type: Web Application (WEBAPPS) Affected Devices: - GL.iNet GL-MT300N (4.3.7) - GL.iNet GL-MB3000 (4.3.7) - GL.iNet GL-B1300 (4.3.7) - GL.iNet GL-AX1800 (4.3.7) - GL.iNet GL-AR750S (4.3.7) - GL.iNet GL-MT2500 (4.3.7) - GL.iNet GL-AXT1800 (4.3.7) - GL.iNet GL-X3000 (4.3.7) - GL.iNet GL-SFT1200 (4.3.7) - And many more devices Firmware Version: 4.3.7 Publication Date: 2023/09/13 CVE: CVE-2023-46453 Remediation Status: Vulnerability patched Patch Date: 2023/11/06 Recommendation: Update firmware to the latest version Proof of Concept (POC)