Security vulnerabilities discovered in "Mango" routers
Security vulnerabilities discovered in "Mango" routers
At the end of April, the Offensive Security team organized an internal hacking event with pizza and cool drinks. As part of this event, we examined various devices and software solutions for vulnerabilities. One of the devices tested was the popular “Mango” router from GL.iNet. This router commonly used, among other things, to protect your own laptop from direct attacks in potentially insecure networks (e.g., public Wi-Fi at airports, in hotels or in cafés) and/or to establish an encrypted VPN connection.
As a result, four security vulnerabilities were found, which were subsequently reported to the manufacturer with detailed error descriptions and suggested remedial measures. The bugs were fixed within approximately three weeks. On August 1, GL.iNet published a security advisory, assigning public vulnerability numbers (“Common Vulnerabilities and Exposures” entries, or CVEs) to the issues. As the manufacturer has combined two of the bugs into one vulnerability, there are three CVEs in total. In addition to the “Mango” router itself, the vulnerabilities also affected all GL.iNet routers supported at the time.
The vulnerabilities were identified by reverse engineering the web server applications, which were available as machine code. The process involves attempting to reconstruct the original source code as it was written by the developers. The reconstructed source code was then analyzed for programming errors that could potentially lead to security vulnerabilities.
CVE-2024-39226 describes a missing input validation in the “s2s” interface, which is used to configure the echo server. This makes it possible for an authenticated user to inject their own commands using manipulated web calls, which are then executed by the router with root rights.
CVE-2024-39227 describes a missing access check, which allows unauthenticated attackers to gain access to the “gl-rpc” interface. In addition, a missing input validation was detected in this interface, allowing arbitrary libraries to be loaded via “path traversal”.
CVE-2024-39228 describes a missing input validation in the “check_ovpn_client_config” interface. Using manipulated file names, authenticated attackers can inject their own commands, which are then executed by the router with root rights when these files are checked.
Would you like to have the security of your embedded systems checked? Please feel free to contact us.