Wavlink AC3000 OpenVPN Configuration Injection Vulnerability Allowing Arbitrary Command Execution

A vulnerability allowing arbitrary command execution through configuration injection has been identified in the Wavlink AC3000 router, specifically in the OpenVPN CGI interface version M33A8.V5030.210505. The issue arises because the OpenVPN server setup function does not properly validate input from several POST parameters, allowing authenticated users to inject malicious commands that are executed by the router's OpenVPN service.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router with elevated privileges, potentially leading to unauthorized access or control over the device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a crafted HTTP POST request to the OpenVPN CGI interface of the Wavlink AC3000 router. The request must include malicious payloads in the 'sel_open_interface', 'open_port', or 'sel_open_protocol' parameters, which are then injected into the OpenVPN configuration files. Once the OpenVPN service is restarted, the injected commands are executed, leading to arbitrary command execution on the router.