Wavlink AC3000 OpenVPN Command Execution Vulnerability

A vulnerability allowing arbitrary command execution exists in the Wavlink AC3000 router, specifically in the OpenVPN configuration handling within the openvpn.cgi file, version M33A8.V5030.210505. This vulnerability arises from improper authentication checks on .cgi binaries, allowing authenticated users to send specially crafted HTTP requests that are executed with system privileges.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router with elevated privileges.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the router's openvpn.cgi script, including the vpn_type parameter set to 'client'. The request must also contain the ovpn_text parameter with the desired OpenVPN configuration, including a command to be executed, such as a shell command wrapped in a specific format. Once the request is processed, the injected command will be executed when the OpenVPN client is initiated.