Wavlink AC3000 OpenVPN CGI Configuration Control Vulnerability Allowing Arbitrary Command Execution

A vulnerability allowing arbitrary command execution has been identified in the Wavlink AC3000 router, specifically in the OpenVPN CGI interface's server setup functionality. This issue arises from multiple external configuration control vulnerabilities that can be exploited by sending a specially crafted HTTP request. The vulnerability affects Wavlink AC3000 routers running firmware version M33A8.V5030.210505.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router with elevated privileges.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the OpenVPN CGI interface, specifically targeting the 'openvpn_server_setup' function. The 'sel_open_server_val' parameter must be set to '1' to initiate the server setup process. During this process, the 'open_port', 'sel_open_interface', and 'sel_open_protocol' parameters can be manipulated to inject arbitrary commands into the OpenVPN server configuration. Once the commands are injected, the OpenVPN service can be restarted, executing the injected commands with root privileges.