Wavlink AC3000 Multiple ProFTPD Configuration Control Vulnerabilities

Multiple external configuration control vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the nas.cgi set_nas() ProFTPD functionality, within the firmware version M33A8.V5030.210505. These vulnerabilities allow for permission bypass through specially crafted HTTP requests. An authenticated user can exploit these issues, leading to unauthorized configuration changes that could be leveraged for further exploitation.

Impact

Exploitation of these vulnerabilities allows for unauthorized configuration changes to the ProFTPD server, potentially leading to directory traversal and arbitrary file access, which could be used to gain a shell on the system.

Reproduction

To reproduce this vulnerability, an authenticated HTTP request must be sent to the Wavlink AC3000 router's nas.cgi script, targeting the set_nas() function. The request should include crafted POST parameters that inject malicious ProFTPD configuration into the router's NVRAM. Once the configuration is injected, the ProFTPD server can be manipulated to traverse the filesystem and execute arbitrary commands.