Wavlink AC3000 Buffer Overflow Vulnerability in login.cgi Goto_chidx() Function

A buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the login.cgi file's Goto_chidx() function, within the firmware version M33A8.V5030.210505. This vulnerability allows for a stack-based buffer overflow, triggered by a specially crafted HTTP request. The issue arises because the login.cgi binary does not require authentication, leaving the router open to exploitation by anyone with network access.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for potential arbitrary code execution.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the login.cgi script with the 'page' parameter set to 'Goto_chidx'. Ensure that the 'Content-Length' is less than 499. The Goto_chidx function will be invoked, where the 'wlanUrl' parameter can be exploited by sending a crafted URL that exceeds the buffer size, overwriting the return address on the stack and leading to code execution.