Wavlink AC3000 Wireless Router Stack-Based Buffer Overflow Vulnerability in CGI Interface Allowing Arbitrary Command Execution
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically within the 'wireless.cgi' file's 'set_wifi_basic_mesh()' function. This vulnerability arises because the function does not properly validate the length of certain POST parameters, allowing for arbitrary data to be written to the stack. An authenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request, potentially leading to arbitrary command execution on the device.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected device.
Reproduction
To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the 'wireless.cgi' file, with the 'page' parameter set to 'basicMesh'. The request must include crafted 'SSID2G' POST data that exceeds the buffer length of 0x78 bytes. This will overwrite the return address of the 'set_wifi_basic_mesh' function, leading to a stack-based buffer overflow and allowing for arbitrary code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.