Wavlink AC3000 Command Injection Vulnerability in Routing Configuration

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the internet.cgi set_add_routing() function. This vulnerability allows authenticated attackers to execute arbitrary commands on the device. The issue arises from improper handling of several POST parameters, including 'netmask', 'gateway', 'dest', 'interface', 'custom_interface', and 'comment'. The vulnerability is present in the Wavlink AC3000 M33A8.V5030.210505 version.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user can send a crafted HTTP POST request to the router's web interface, targeting the 'internet.cgi' script. The request must include one of the vulnerable POST parameters, such as 'netmask', 'gateway', or 'dest', with injected commands. The 'custom_interface' parameter can also be used to execute commands by manipulating the 'interface' parameter first.