Wavlink AC3000 Stack-Based Buffer Overflow Vulnerability in touchlist_sync.cgi Allowing Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the touchlist_sync.cgi file within the touchlistsync() function. This vulnerability arises because the CGI binary does not properly validate user authentication, allowing an attacker to send a specially crafted HTTP request that can be exploited to execute arbitrary code. The issue is present in the Wavlink AC3000 model M33A8.V5030.210505.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP request to the Wavlink AC3000 router's touchlist_sync.cgi script without the required authentication. The request must include the 'IP' parameter, which the server will use to execute a curl command. The response from this command can be crafted to include data that, when processed by the vulnerable function, will overflow a buffer and overwrite the return address, leading to arbitrary code execution.