Wavlink AC3000 Buffer Overflow Vulnerability in adm.cgi set_wzap() Functionality

A buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the adm.cgi set_wzap() function. This vulnerability allows for a stack-based buffer overflow, which can be triggered by a specially crafted HTTP request. The issue affects Wavlink AC3000 routers running version M33A8.V5030.210505. An authenticated user can exploit this vulnerability by sending an HTTP request that takes advantage of the lack of input length validation.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the adm.cgi binary with the 'page' parameter set to 'wzdap'. The request must include a 'wlan_ssid2g' parameter with a value longer than 0x90 bytes. This oversized input will overwrite the return address of the set_wzap() function, causing a segmentation fault and potentially allowing for arbitrary code execution.

Remediation

Wavlink has acknowledged the vulnerability and is working on a patch, although no specific release date has been provided.