Wavlink AC3000 Wireless Router Stack-Based Buffer Overflow Vulnerability in SetName Functionality

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the wireless.cgi SetName() function of version M33A8.V5030.210505. This vulnerability allows authenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests. The issue arises because the SetName function does not properly validate the length of the 'NewName' POST parameter, enabling attackers to overwrite the return address and potentially gain control of the device.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the Wavlink AC3000 router's wireless.cgi interface, targeting the SetName function. The request must include a 'NewName' parameter with a payload that exceeds 88 bytes, allowing it to overflow the buffer and overwrite the return address. Once the payload is crafted, the router will execute the injected commands, demonstrating the vulnerability.

Remediation

Wavlink has acknowledged the vulnerability and is reportedly working on a patch, although no specific release date has been provided.