Wavlink AC3000 OpenVPN Configuration Injection Vulnerability Allowing Arbitrary Command Execution

A vulnerability allowing arbitrary command execution through configuration injection has been identified in the Wavlink AC3000 router, specifically in the OpenVPN CGI interface version M33A8.V5030.210505. The issue arises within the 'openvpn_server_setup' function, where certain POST parameters can be exploited by authenticated users to inject malicious commands into the system.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router's operating system.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'openvpn.cgi' script with crafted data that includes the 'sel_open_protocol', 'open_port', or 'sel_open_interface' parameters. The injected data is not properly sanitized and can be used to execute arbitrary commands when the OpenVPN server is started.