Wavlink AC3000 Wireless Router Stack-Based Buffer Overflow Vulnerability in AddMac Functionality

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the wireless.cgi AddMac() function of version M33A8.V5030.210505. This vulnerability allows authenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests. The issue arises because the AddMac function does not properly validate the length of the 'addMac' POST parameter, enabling attackers to overwrite the return address and gain command execution capabilities.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the Wavlink AC3000 router's wireless.cgi interface, targeting the AddMac function. The request must include a 'addMac' parameter with a value that exceeds 0xc20 bytes, allowing it to overwrite the function's return address and execute arbitrary commands on the device.