Wavlink AC3000 Buffer Overflow Vulnerability in adm.cgi rep_as_bridge() Function

A buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the adm.cgi file within the rep_as_bridge() function. This vulnerability, present in version M33A8.V5030.210505, allows for a stack-based buffer overflow when a specially crafted HTTP request is sent. The issue can be triggered by an authenticated user.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the adm.cgi binary with the 'page' parameter set to 'wzdrepeater'. The 'rep_type' POST parameter must be set to '1', and the 'wl_rep_ssid2g' parameter must be crafted to exceed 160 bytes. This will cause the router to overwrite the return address of the function, leading to arbitrary code execution.