Wavlink AC3000 Command Injection Vulnerability in touchlist_sync.cgi

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the touchlist_sync.cgi file within the touchlistsync() function. This vulnerability allows for arbitrary code execution via a crafted HTTP request. The issue arises because the CGI binary does not properly validate user authentication, leaving it open to exploitation by anyone with network access to the device.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP request to the Wavlink AC3000 router's touchlist_sync.cgi script. Include the 'IP' parameter in the query string, directing the request to a server that the attacker controls. The 'getACL' parameter should be set to a value other than '1'. When the router processes the request, it will execute a curl command that retrieves the response from the attacker's server. If the response contains specific characters, the router will execute commands based on the injected data, leading to command execution on the device.