Wavlink AC3000 Buffer Overflow Vulnerability in QoS CGI Settings

Multiple stack-based buffer overflow vulnerabilities have been identified in the QoS CGI 'qos_settings' function of the Wavlink AC3000 router, specifically in the firmware version M33A8.V5030.210505. These vulnerabilities can be triggered by authenticated users sending specially crafted HTTP requests. The 'qos_dat' POST parameter is one of the fields that can be exploited, leading to arbitrary code execution.

Impact

Exploitation of these vulnerabilities allows for stack-based buffer overflows, resulting in arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'qos.cgi' page with crafted data in the 'qos_dat', 'qos_bandwidth', and 'sel_mode' parameters. The 'qos_bandwidth' and 'qos_dat' parameters can be manipulated to exceed the buffer size, while the 'sel_mode' parameter can be used to control the execution flow and trigger the buffer overflow.