Wavlink AC3000 Multiple ProFTPD Configuration Injection Vulnerabilities

Multiple external configuration control vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_nas() ProFTPD functionality, within the firmware version M33A8.V5030.210505. These vulnerabilities allow for permission bypass through specially crafted HTTP requests. An authenticated user can exploit these issues by injecting malicious data into various POST parameters, leading to unauthorized configuration changes that could be exploited further.

Impact

Exploitation of these vulnerabilities allows for unauthorized configuration changes to the ProFTPD server, potentially leading to directory traversal and arbitrary file access. Injections into the FTP configuration could be used to manipulate FTP server behavior or access sensitive files.

Reproduction

To reproduce these vulnerabilities, an authenticated HTTP request must be sent to the Wavlink AC3000 router's nas.cgi script. The request can include injected data in the ftp_port, ftp_name, and ftp_max_sessions POST parameters. Once the request is processed, the injected data is written to the router's NVRAM and then used to configure the ProFTPD server. The ProFTPD configuration file can be manipulated to grant unauthorized access to the filesystem, which could lead to executing a shell on the device.