Wavlink WL-WN575A3 Buffer Overflow Vulnerabilities Allowing Device Crash and Unauthorized Command Execution

Multiple buffer overflow vulnerabilities have been identified in the Wavlink WL-WN575A3 router, specifically in the firmware version RPT75A3.V4300. These vulnerabilities arise from inadequate length checks on user-controlled data, enabling attackers to either crash the device or execute arbitrary commands without any authorization verification. The issues are present in two binary files: 'wireless.cgi' and 'libwebutil.so'.

Impact

Exploitation of these vulnerabilities can lead to a device crash or unauthorized execution of commands, potentially allowing an attacker to gain full control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/wireless.cgi' with the 'wlan_conf' parameter set to 2860 and the 'page' parameter set to 'obtw'. Include oversized data in one of the following parameters: 'CCK_1M', 'CCK_5M', 'OFDM_6M', 'OFDM_12M', 'HT20_MCS_0', 'HT20_MCS_1_2', 'HT40_MCS_0', 'HT40_MCS_32', or 'HT40_MCS_1_2'. The request can be sent using a tool like Hackbar. This will exploit the buffer overflow, causing the device to crash or execute the injected commands.