Talos Vulnerability Report

TALOS-2024-1999

Wavlink AC3000 touchlist_sync.cgi main() arbitrary code execution vulnerability

January 14, 2025

CVE Number

CVE-2022-2488

SUMMARY

An arbitrary code execution vulnerability exists in the touchlist_sync.cgi main() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Wavlink AC3000 M33A8.V5030.210505

PRODUCT URLS

Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html

CVSSv3 SCORE

10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

DETAILS

The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.

When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.

In the case of the touchlink_sync.cgi binary, there’s not actually a call to check_valid_user(), so the only requirement to hit any of the vulnerabilities herein is a network connection. With that in mind, let us actually delve into the main functionality of this binary:

00400ab0  int32_t main(int32_t argc, char** argv, char** envp)

00400af0      char* qstr = getenv(name: "QUERY_STRING")                               // [1]
00400b0c      char* AccessControlList2_nvram = nvram_bufget(2, "AccessControlList2")
00400b54      if (strcmp(str1: web_get("getACL", qstr, 0), str2: "1") != 0)           // [2]
00400c28          int32_t var_600
00400c28          char* tmp
00400c28          if (access("/tmp/web_log") == 0)
//[...]
00400c40          int32_t IP = web_get("IP", qstr, 0)               // [3]
00400c58          putchar(char_: '1')
00400c68          if (zx.d(*IP) != 0)
00400c78              char* str1 = nvram_bufget(0, "MeshMode")
00400c94              int32_t $v0_9 = nvram_bufget(0, "lan_ipaddr")
00400cb0              int32_t is_MeshMode = strcmp(str1, str2: "1")
00400cbc              void cmd_to_run
00400cbc              char result_str[0x481]
00400cbc              void* popen_results
00400cbc              int32_t $v0_22
00400cbc              void* stream_3
00400cbc              if (is_MeshMode == 0)                          // [4]
00400ed0                  // -m is just max time
    00400ed0                  sprintf(&cmd_to_run, "curl -s -m 5 http://%s/cgi-bin/touchlist_sync.cgi?getACL=1", IP)  // [5]
00400ef4                  if (access("/tmp/web_log") == 0)
// [...]
00400f08                  popen_results = popen(&cmd_to_run, "r")  //  [6]

At [1], the binary immediately grabs the QUERY_STRING environment variable (which is how lighttpd passes in data to .cgi files), and the query string is searched for the getACL parameter at [2]. Assuming this either not found or is equal to anything but “1”, we enter the branch at [2]. Our query string is then again parsed at [3], except now we search for the IP parameter. Assuming this is found and is non-null, we continue on to the branch at [4], which is actually the most consequential line of code in this function, as in order to trigger this vulnerability, the device must be in Mesh Mode, which is something outside of an attacker’s control. But assuming that our current device is in fact in mesh mode, we enter the branch at [4], call an sprintf at [5] with the value of our IP parameter which is never sanitized or checked in any meaningful way, and then immediately plugged into a popen call at [6], resuling in an elementary code injection if we happen to handle our escaping of quotes and spaces correctly in the input, perhaps if we theoretically set IP to something like %3b%20touch%20/tmp/touchlist.txt%3b.

TIMELINE

2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release

Credit

Discovered by Lilith >_> of Cisco Talos.

TALOS-2024-2000

TALOS-2024-2037

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company