Wavlink AC3000 Buffer Overflow Vulnerability in usbip.cgi set_info() Function

A buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the usbip.cgi set_info() function, version M33A8.V5030.210505. This vulnerability allows for a stack-based buffer overflow, which can be triggered by an authenticated user sending a specially crafted HTTP request. The issue arises because the set_info() function does not properly validate the length of input data before copying it to the stack, creating an opportunity for an attacker to overwrite the return address and potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for the overwriting of the return address with arbitrary data. This could result in unauthorized code execution on the device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the Wavlink AC3000 router's usbip.cgi script. The request must include a crafted 'SSID' parameter that exceeds the buffer length, bypassing the 'check_valid_user()' authentication check. Once the 'SSID' parameter is processed by the 'set_info()' function, the lack of length validation allows the overflow to occur, potentially leading to code execution.