Wavlink AC3000 Wireless Router Stack-Based Buffer Overflow Vulnerability in DeleteMac Functionality

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the wireless.cgi DeleteMac() function, version M33A8.V5030.210505. This vulnerability allows authenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests. The issue arises because the DeleteMac function does not properly validate the length of input data, enabling attackers to overwrite the return address and gain unauthorized access.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the wireless.cgi DeleteMac() function. The request must include a crafted 'delete_list' parameter that exploits the buffer overflow by overwriting the return address with a payload that executes arbitrary commands. This can be achieved by first using the 'AddMac' command to inject a payload into the 'AccessControlName3' nvram variable, which is then exploited in the 'DeleteMac' function.