Wavlink AC1200 Command Injection Vulnerability in Password Reset Function

A post-authentication command injection vulnerability has been identified in the Wavlink AC1200 router, specifically in firmware versions M32A3_V1410_230602 and M32A3_V1410_240222. The vulnerability resides in the 'set_sys_adm' function of the 'adm.cgi' binary, where improper sanitization of the user-provided 'newpass' field allows for arbitrary command execution. This issue is accessible through the 'Login Password' page on the router's web interface.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router's operating system with the privileges of the web server user.

Reproduction

To reproduce this vulnerability, log into the Wavlink AC1200 router and navigate to the 'Login Password' page. Once there, send a POST request to the '/cgi-bin/adm.cgi' endpoint. Include the 'page' parameter set to 'sysAdm', the 'username' parameter with the value 'admin', and the 'SYSPASS' parameter with the current password. The 'newpass' parameter should be crafted to include command injection payloads, such as a command followed by a URL-encoded '&&' to chain commands. After sending the request, the injected command will be executed on the router.