Wavlink AC3000 Command Injection Vulnerability in Firewall CGI

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically within the firewall.cgi file's iptablesWebsFilterRun() function. This vulnerability allows authenticated users to execute arbitrary code on the device by sending a specially crafted HTTP request. The issue arises because the router's lighttpd server configuration permits direct interaction with .cgi binaries in the web root, bypassing authentication requirements. Exploitation involves manipulating the 'firewall' and 'addURLFilter' parameters to inject commands that are executed via the 'do_system' function, leveraging the lack of input validation on certain values.

Impact

Successful exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the Wavlink AC3000 router's firewall.cgi file. The request must include the 'firewall' parameter set to 'websURLFilter' and the 'addURLFilter' parameter containing the injected command. Once the request is processed, the injected command will be executed on the router's operating system.