Wavlink AC3000 Buffer Overflow Vulnerability in Qos.cgi Qos_Settings Function

Multiple buffer overflow vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the qos.cgi file within the qos_settings() function. These vulnerabilities arise from stack-based buffer overflows caused by improperly validated HTTP POST request parameters. The affected version is Wavlink AC3000 M33A8.V5030.210505. An authenticated attacker can exploit these vulnerabilities, leading to arbitrary code execution.

Impact

Exploitation of these vulnerabilities allows for stack-based buffer overflows, resulting in arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a crafted HTTP POST request to the router's qos.cgi page. The request must include the qos_bandwidth, qos_dat, and sel_mode parameters, which are processed without proper length validation. This lack of validation allows the input to overflow a buffer, specifically the cmdtorun variable, which is then used to execute arbitrary commands on the router.