Wavlink AC3000 Buffer Overflow Vulnerability in TR069 Functionality

A buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the adm.cgi file's set_TR069() function, within the firmware version M33A8.V5030.210505. This vulnerability allows for a stack-based buffer overflow, which can be triggered by an authenticated user sending a specially crafted HTTP request. The lack of proper input validation in the TR069-related parameters enables the exploitation of this vulnerability, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can be leveraged for arbitrary code execution on the device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the adm.cgi binary with the page parameter set to 'TR069'. The request should include TR069-related data, particularly the 'TR069_local_port' parameter, crafted to exceed 320 bytes. This will trigger the buffer overflow by overwriting the return address of the set_TR069 function, leading to arbitrary code execution.

Remediation

Wavlink has acknowledged the vulnerability and is working on a patch, although no specific release date has been provided.