Wavlink AC3000 Arbitrary Code Execution Vulnerability in adm.cgi set_MeshAp() Functionality

A vulnerability allowing arbitrary code execution exists in the Wavlink AC3000 router, specifically in the adm.cgi file's set_MeshAp() function. This vulnerability arises from a buffer overflow issue, where a specially crafted HTTP request can overwrite the stack and manipulate the return address, leading to unauthorized code execution. The vulnerability affects Wavlink AC3000 M33A8.V5030.210505.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the adm.cgi script with the page parameter set to 'wzdMeshAp'. The request must include a crafted 'wlan_ssid2' parameter that exceeds 0x98 bytes in length. This will trigger the set_MeshAp function, where the buffer overflow can be exploited by overwriting the return address on the stack, leading to arbitrary code execution.