Wavlink AC3000 Buffer Overflow Vulnerability in qos.cgi Component

A buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically within the qos.cgi file's qos_sta_settings() function. This vulnerability allows for a stack-based buffer overflow, which can be triggered by an authenticated user sending a specially crafted HTTP request. The issue arises because the function does not properly validate the length of input data before processing it, enabling attackers to overwrite the return address and potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the router's qos.cgi file, specifying the page parameter as 'qos_sta'. The request must include crafted cli_list and cli_num parameters that are each 0x818 bytes long. This input will overflow a buffer in the qos_sta_settings() function, overwrite the return address, and execute arbitrary code.

Remediation

Wavlink has acknowledged the vulnerability and is reportedly working on a patch, although no specific release date has been provided.