Wavlink AC3000 Buffer Overflow Vulnerability in QoS Management

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the internet.cgi file's set_qos() function. This vulnerability affects version M33A8.V5030.210505. The issue arises from the improper handling of POST parameters, particularly 'cli_mac', 'cli_name', and 'en_enable', which are all processed without length validation. An authenticated attacker can exploit this vulnerability by sending a crafted HTTP request that overwrites the stack with malicious data, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for authenticated attackers to execute arbitrary code on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'internet.cgi' file with the 'page' parameter set to 'qos'. The 'cli_mac', 'cli_name', and 'en_enable' POST parameters should be included in the request. These parameters can be crafted to exceed their buffer limits, causing a stack-based buffer overflow. Once the overflow occurs, the router will crash, indicating that the vulnerability has been successfully exploited.