Wavlink AC3000 External Configuration Control Vulnerabilities in FTP Settings

Multiple external configuration control vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_ftp_cfg() function of version M33A8.V5030.210505. These vulnerabilities allow for permission bypass through specially crafted HTTP requests. An authenticated user can exploit these issues, leading to unauthorized configuration changes via the ftp_name, ftp_port, and ftp_max_sessions parameters.

Impact

Exploitation of these vulnerabilities allows for unauthorized configuration changes to the FTP settings of the affected router, including the FTP name, port, and maximum sessions. This could potentially be abused to manipulate the router's FTP server behavior, such as injecting malicious ProFTPD configuration that could be exploited for unauthorized access or actions on the device's filesystem.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the nas.cgi script with the page parameter set to 'ftp'. The request can include crafted data in the ftp_name, ftp_port, and ftp_max_sessions parameters. Once the request is processed, the injected values will be written to the router's NVRAM and subsequently applied to the ProFTPD configuration, allowing for exploitation through the FTP server.