Wavlink AC3000 Command Injection Vulnerability in Routing Configuration

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the internet.cgi set_add_routing() function. This vulnerability allows authenticated attackers to execute arbitrary commands on the device. The issue arises from improper handling of several POST parameters, including 'dest', 'netmask', 'gateway', 'interface', and 'custom_interface'. Exploitation involves sending a crafted HTTP request that includes malicious input in these parameters, bypassing authentication checks and leading to unauthorized command execution.

Impact

Successful exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'internet.cgi' script with the 'page' parameter set to 'addrouting'. The 'custom_interface' parameter can be used to inject commands, while the 'netmask', 'gateway', and 'dest' parameters also allow for command injection. The injected commands are executed on the device with the privileges of the web server.