Wavlink AC3000 FTP Configuration Injection Vulnerability

A configuration injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_ftp_cfg() function of version M33A8.V5030.210505. This vulnerability allows authenticated users to send specially crafted HTTP requests that bypass permissions and inject malicious configurations into the router's FTP settings. The injected configurations can be exploited to manipulate the FTP server's behavior, potentially leading to unauthorized access or actions on the device.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the router's FTP configuration, including the number of allowed FTP sessions. This could be used to disrupt normal FTP operations or to create conditions for further exploitation.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the nas.cgi set_ftp_cfg() endpoint. The request must include crafted data in the ftp_max_sessions parameter to inject a malicious configuration. Once the data is injected, the router's FTP server can be manipulated based on the injected values.