Wavlink AC3000 Command Execution Vulnerability via HTTP Request

A command execution vulnerability has been identified in the Wavlink AC3000 router, specifically in the update_filter_url.sh script of version M33A8.V5030.210505. This vulnerability allows arbitrary command execution by injecting crafted HTTP requests. The issue can be exploited through a man-in-the-middle attack, taking advantage of the script's lack of HTTPS validation.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, intercept HTTP traffic to the router and inject a crafted request that exploits the update_filter_url.sh script. The injection can be done by manipulating the URLs that the script retrieves from the router's NVRAM, taking advantage of the fact that the initial URL fetches are done over HTTP, not HTTPS. Once the script is tricked into executing a command with the injected payload, it can be used to overwrite files on the router's filesystem, such as the passwd file, potentially leading to privilege escalation.