Wavlink AC3000 Command Injection Vulnerability in nas.cgi add_dir() Function

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the nas.cgi add_dir() functionality. This vulnerability allows authenticated users to execute arbitrary commands on the device by sending a specially crafted HTTP request. The issue arises in the adddir_name and disk_part POST parameters, where injected commands can be executed with system privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the nas.cgi script with the page parameter set to 'adddir'. The POST data can include injected commands in either the 'adddir_name' or 'disk_part' parameters. Once the request is processed, the injected commands will be executed on the router's operating system.