Wavlink WL-WN578W2 Command Injection Vulnerability in Unauthenticated Wizard Rep Page

A critical command injection vulnerability has been identified in the Wavlink WL-WN578W2 wireless range extender, specifically in the M78W2_V221110 firmware. The issue arises in the '/wizard_rep.shtml' page, where the 'sel_EncrypTyp' parameter can be manipulated to inject arbitrary system commands. This vulnerability is particularly concerning because it bypasses the device's weak input filter, which only blocks two characters: the pipe and backtick. As a result, attackers can execute commands with root privileges, fully compromising the device, and all of this can be done remotely without any authentication.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected device, potentially leading to a complete compromise of the device's functionality and security.

Reproduction

To reproduce this vulnerability, access the 'wizard_rep.shtml' page on the Wavlink WL-WN578W2 device running the vulnerable firmware. No login is required. Once on the page, send a POST request to '/cgi-bin/adm.cgi' with the 'sel_EncrypTyp' parameter set to include the desired command injection payload. The injected command will be executed with root privileges, and the results can be captured using a Netcat listener.