Wavlink AC3000 Static Login Vulnerability in wctrls Functionality Granting Root Access

A static login vulnerability has been identified in the Wavlink AC3000 router, specifically in the wctrls functionality of version M33A8.V5030.210505. This vulnerability allows an attacker to gain root access by sending a specially crafted set of network packets to the device. The wctrls service, running on UDP port 36338, accepts these packets and, after a series of encrypted communications, can be exploited to enable a telnet service with root privileges. This issue is compounded by the existence of a static admin login that persists even after a factory reset, allowing for remote access over WAN.

Impact

Exploitation of this vulnerability provides unauthorized root access to the device, with the potential for remote code execution via the enabled telnet service.

Reproduction

The vulnerability can be reproduced by sending crafted UDP packets to port 36338. The first packet must be two bytes long, with the first byte indicating a command related to the exploitation. Once the service acknowledges the packet, a second packet of 16 bytes can be sent. This 16-byte packet is crucial as it is used to establish an encrypted communication channel with the device. After successfully completing this handshake, the exploitation can be finalized by sending specific commands that are recognized by the device's firmware, such as those that enable the telnet service.