Wavlink AC3000 Buffer Overflow Vulnerabilities in QoS CGI Settings

Multiple stack-based buffer overflow vulnerabilities have been identified in the QoS CGI 'qos_settings' function of the Wavlink AC3000 router, specifically in the M33A8.V5030.210505 version. These vulnerabilities allow for authenticated attackers to send specially crafted HTTP requests that trigger the buffer overflows, potentially leading to arbitrary code execution.

Impact

Exploitation of these vulnerabilities causes stack-based buffer overflows, allowing for arbitrary code execution on the device.

Reproduction

To reproduce these vulnerabilities, an authenticated user must send a POST request to the 'qos.cgi' page with crafted data in the 'qos_bandwidth', 'qos_dat', or 'sel_mode' parameters. The 'qos_settings' function will process this data without proper length checks, enabling the buffer overflow. Once the overflow occurs, the return address can be overwritten, leading to arbitrary code execution.