Wavlink AC3000 Multiple ProFTPD Configuration Injection Vulnerabilities

Multiple external configuration control vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_nas() ProFTPD functionality, within the firmware version M33A8.V5030.210505. These vulnerabilities allow for permission bypass through specially crafted HTTP requests. An authenticated user can exploit these issues by injecting malicious data into various POST parameters, leading to unauthorized configuration changes that could be exploited for further access or control.

Impact

Exploitation of these vulnerabilities allows for unauthorized configuration changes in the ProFTPD server, potentially leading to unauthorized access or control over the system's file system.

Reproduction

To reproduce these vulnerabilities, an authenticated HTTP request must be sent to the nas.cgi script, targeting the set_nas() function. The injection can be done through the ftp_name, ftp_port, and ftp_max_sessions POST parameters. Once the request is processed, the injected values are written to the router's NVRAM and then used to configure the ProFTPD server. The ProFTPD configuration file can be manipulated to grant unauthorized access to the file system, which could lead to executing commands on the router.