Wavlink AC3000 Buffer Overflow Vulnerability in QoS Management

A stack-based buffer overflow vulnerability has been identified in the Wavlink AC3000 router, specifically in the internet.cgi file's set_qos() function. This vulnerability affects version M33A8.V5030.210505. The issue arises from the 'en_enable' POST parameter, which can be exploited by sending a specially crafted HTTP request. The vulnerability allows authenticated users to overwrite the return address of the function with arbitrary data, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for stack-based buffer overflow, where the return address can be overwritten with attacker-controlled data, leading to arbitrary code execution.

Reproduction

To reproduce this vulnerability, an authenticated HTTP POST request must be sent to the Wavlink AC3000 router's internet.cgi file, with the 'page' parameter set to 'qos'. The 'en_enable' POST parameter should be included with a payload that exceeds its buffer size, causing a stack-based buffer overflow. This can be done by crafting an HTTP request that exploits the lack of input size validation in the 'en_enable' parameter, similar to how the 'cli_name' and 'cli_mac' parameters were exploited.