Wavlink AC3000 External Configuration Control Vulnerability in nas.cgi Arbitrary Command Execution

A vulnerability allowing external configuration control has been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_nas() function. This vulnerability arises from the improper handling of HTTP requests, which can be exploited to execute arbitrary commands on the device. The issue affects Wavlink AC3000 routers running firmware version M33A8.V5030.210505. Exploitation requires authentication, as the vulnerability can only be triggered by an authenticated HTTP request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user can send a crafted HTTP POST request to the nas.cgi page, including specific parameters that the set_nas() function will parse. The absence of input validation on the 'smb_netbios' parameter allows for the injection of arbitrary commands into the Samba configuration, which can be leveraged for further exploitation.

Remediation

Users are advised to check for firmware updates or patches from Wavlink for the AC3000 model. Consult the Wavlink AC3000 product page for more information.