Wavlink AC3000 Wireless Router Stack-Based Buffer Overflow Vulnerability in CGI Interface Allowing Arbitrary Command Execution
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the 'wireless.cgi' file within the 'set_wifi_basic()' function. This vulnerability arises because the function does not properly validate the length of certain POST parameters, allowing for arbitrary data to be written to the stack. An authenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request, potentially leading to arbitrary command execution on the device.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected device.
Reproduction
To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the 'wireless.cgi' script with the 'page' parameter set to 'basic'. The request must include a crafted 'SSID2G' parameter that exceeds the buffer length of 0x98 bytes. This will trigger the buffer overflow by overwriting the return address on the stack, which can be exploited to execute arbitrary commands.
Remediation
Wavlink has acknowledged the vulnerability and is reportedly working on a patch, although no specific release date has been provided.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.