Wavlink AC3000 OS Command Injection Vulnerability in adm.cgi sch_reboot() Function
Vulnerability
A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the adm.cgi file within the sch_reboot() function. This vulnerability allows authenticated users to execute arbitrary commands on the device. The issue arises from improper validation of user input in several POST parameters, which can be exploited by crafting a specific HTTP request. Once exploited, the injected commands are executed with the privileges of the user account under which the web server is running.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the affected device.
Reproduction
To reproduce this vulnerability, an authenticated user must send a POST request to the adm.cgi script with crafted values for the restart_hour, restart_min, and restart_week parameters. These values should be formatted to inject a command into the router's crontab, which will then be executed, providing a method for arbitrary code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.