Wavlink AC3000 Command Injection Vulnerability in login.cgi Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the login.cgi file's set_sys_init() function. This vulnerability, present in version M33A8.V5030.210505, allows for arbitrary code execution. The issue arises because the login.cgi file does not properly authenticate users before executing commands. An attacker can exploit this vulnerability by sending a specially crafted HTTP request, taking advantage of the command injection flaw in the restart_week_value POST parameter.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the login.cgi page with the page parameter set to 'sysinit'. Include the restart_week_value parameter with a crafted value that, when processed by the set_sys_init() function, injects a command into the router's crontab. The injected command will be executed with the privileges of the 'adm2860' user, allowing for code execution on the device.