Wavlink AC3000 Command Injection Vulnerability in nas.cgi remove_dir() Functionality
Vulnerability
A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the nas.cgi file's remove_dir() function. This vulnerability allows authenticated attackers to execute arbitrary code on the device by sending a specially crafted HTTP request. The issue arises because the lighttpd server configuration permits direct interaction with .cgi binaries in the web root, bypassing authentication requirements.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the affected device.
Reproduction
To reproduce this vulnerability, an authenticated HTTP request must be sent to the Wavlink AC3000 router's nas.cgi page, with the 'page' parameter set to 'rmdir'. The 'dir_path' parameter can then be used to inject a command, which will be executed on the system, resulting in arbitrary code execution.
Remediation
Wavlink has acknowledged the vulnerability and is working on a patch, although no specific release date has been provided.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.