Wavlink AC3000 Command Execution Vulnerability in qos.cgi

A command execution vulnerability has been identified in the Wavlink AC3000 router, specifically in the qos.cgi file within the qos_sta() function. This vulnerability allows for arbitrary command execution via a specially crafted HTTP request. The issue arises because the router's lighttpd server configuration permits unauthenticated access to .cgi binaries in the web root, leaving it up to the binaries to verify user authentication. Once authenticated, an attacker can exploit the vulnerability by injecting commands that are executed by the router's cron service.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router with elevated privileges, potentially leading to unauthorized access or control over the device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the Wavlink AC3000 router's qos.cgi file, with the 'page' parameter set to 'qos_sta'. The 'time_control_num' parameter must be set to a value greater than zero, and the 'time_control' parameter can be used to inject commands. Once the injection is successful, the commands will be executed via the router's cron service.