Wavlink AC3000 Permission Bypass and Configuration Injection Vulnerabilities

Multiple external configuration control vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_ftp_cfg() function. These vulnerabilities allow for permission bypass and configuration injection through specially crafted HTTP requests. The issues affect Wavlink AC3000 M33A8.V5030.210505. An authenticated user can exploit these vulnerabilities by sending HTTP POST requests with manipulated parameters.

Impact

Exploitation of these vulnerabilities bypasses authentication and allows for unauthorized configuration changes on the device, particularly in the FTP settings. This could lead to unauthorized access or manipulation of files via FTP.

Reproduction

To reproduce these vulnerabilities, an authenticated user must send an HTTP POST request to the nas.cgi script with the 'page' parameter set to 'ftp'. The 'ftp_port', 'ftp_name', 'ftp_max_sessions', and other related parameters can then be injected through the POST request. Once the request is processed, the injected values are written to the device's NVRAM and subsequently used to configure the ProFTPD FTP server. This misconfiguration can be exploited to gain unauthorized access to the filesystem.