Wavlink AC3000 Buffer Overflow Vulnerability in QoS Management

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the internet.cgi file's set_qos() function. This vulnerability affects version M33A8.V5030.210505. The issue arises from the cli_name POST parameter, which can be exploited by sending a specially crafted HTTP request. The vulnerability allows authenticated attackers to overwrite the return address of the function with arbitrary data, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated attackers to execute arbitrary code on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated HTTP POST request must be sent to the Wavlink AC3000 router's internet.cgi file, targeting the set_qos() function. The request must include a crafted cli_name parameter that exceeds the buffer size, causing a stack-based buffer overflow. This can be done by manipulating the HTTP request to include excessive data in the cli_name field, which will be concatenated into a buffer without proper size checks, ultimately overwriting the return address and allowing for arbitrary code execution.