CVE-2024-39768,CVE-2024-39770,CVE-2024-39769
Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the internet.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00401a50 else if (strcmp(page_get, "qos") == 0)
00401abc set_qos(malloc_contlen)
If we provide page=qos, we enter the set_qos function and our provided POST data is further parsed therein:
00403d54 char* cli_name = strdup(web_get("cli_name", inp, 1)) // [1]
00403d8c char* cli_mac = strdup(web_get("cli_mac", inp, 1)) // [2]
00403dc0 char* en_enable = strdup(web_get("en_enable", inp, 1)) // [3]
00403dc8 char* var_8d8
00403dc8 char* var_8d4
00403dc8 if (access("/tmp/web_log", 0) == 0)
// [...]
00403df4 char* $s2 = nvram_bufget(0, "ClientList")
00403df8 char buf_0x424[0x400]
Three more POST parameters are read in from our input packet into the heap, all of them without length restriction - cli_name [1], cli_mac [2], and en_enable [3]. These fields will all eventually be thrown into our stack-based buffer buf_0x424 of size 0x400.
A buffer overflow vulnerability exists on the cli_name POST parameter at the call to strcat at [5]:
00403df8 char buf_0x424[0x400] // [4]
00403df8 strcat(&buf_0x424, cli_name) // [5]
00403e30 void* $v0_8 = &buf_0x424[strlen(&buf_0x424)]
00403e38 *$v0_8 = 0x2a
00403e40 *($v0_8 + 1) = 0
00403e3c strcat(&buf_0x424, cli_mac) // [6]
00403e70 void* $v0_10 = &buf_0x424[strlen(&buf_0x424)]
00403e74 *$v0_10 = 0x2a
00403e7c *($v0_10 + 1) = 0
00403e80 strcat(&buf_0x424, en_enable) // [7]
This vulnerability easily leads to the return address of the function being overwritten by arbitrary attacker-controlled data, leading to code execution.
Thread 2.1 "internet.cgi" hit Breakpoint 3, 0x00403ce8 in add_qos ()
(gdb) c
Continuing.
[Detaching after fork from child process 22202]
Thread 2.1 "internet.cgi" received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg
zero at v0 v1 a0 a1 a2 a3
R0 00000000 7772f439 00000000 7772ef28 00000001 7772ef28 00000000 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 00000000 5fd4f28d 81ee0000 00000000 68732e6c 00000000 00000001 226c6d74
s0 s1 s2 s3 s4 s5 s6 s7
R16 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
t8 t9 k0 k1 gp sp s8 ra
R24 00000001 77698440 7773f023 00000000 77734490 7f868288 41414141 41414141
status lo hi badvaddr cause pc
0100fc13 0001b05a 00000222 41414140 50800008 41414141
fcsr fir hi1 lo1 hi2 lo2 hi3 lo3
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dspctl restart
00000000 00000000
A buffer overflow vulnerability exists on the cli_mac POST parameter at the call to strcat at [6]:
00403df8 char buf_0x424[0x400] // [4]
00403df8 strcat(&buf_0x424, cli_name) // [5]
00403e30 void* $v0_8 = &buf_0x424[strlen(&buf_0x424)]
00403e38 *$v0_8 = 0x2a
00403e40 *($v0_8 + 1) = 0
00403e3c strcat(&buf_0x424, cli_mac) // [6]
00403e70 void* $v0_10 = &buf_0x424[strlen(&buf_0x424)]
00403e74 *$v0_10 = 0x2a
00403e7c *($v0_10 + 1) = 0
00403e80 strcat(&buf_0x424, en_enable) // [7]
This vulnerability easily leads to the return address of the function being overwritten by arbitrary attacker-controlled data, leading to code execution.
Thread 2.1 "internet.cgi" hit Breakpoint 3, 0x00403ce8 in add_qos ()
(gdb) c
Continuing.
[Detaching after fork from child process 22202]
Thread 2.1 "internet.cgi" received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg
zero at v0 v1 a0 a1 a2 a3
R0 00000000 7772f439 00000000 7772ef28 00000001 7772ef28 00000000 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 00000000 5fd4f28d 81ee0000 00000000 68732e6c 00000000 00000001 226c6d74
s0 s1 s2 s3 s4 s5 s6 s7
R16 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
t8 t9 k0 k1 gp sp s8 ra
R24 00000001 77698440 7773f023 00000000 77734490 7f868288 41414141 41414141
status lo hi badvaddr cause pc
0100fc13 0001b05a 00000222 41414140 50800008 41414141
fcsr fir hi1 lo1 hi2 lo2 hi3 lo3
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dspctl restart
00000000 00000000
A buffer overflow vulnerability exists on the en_enable POST parameter at the call to strcat at [7]:
00403df8 char buf_0x424[0x400] // [4]
00403df8 strcat(&buf_0x424, cli_name) // [5]
00403e30 void* $v0_8 = &buf_0x424[strlen(&buf_0x424)]
00403e38 *$v0_8 = 0x2a
00403e40 *($v0_8 + 1) = 0
00403e3c strcat(&buf_0x424, cli_mac) // [6]
00403e70 void* $v0_10 = &buf_0x424[strlen(&buf_0x424)]
00403e74 *$v0_10 = 0x2a
00403e7c *($v0_10 + 1) = 0
00403e80 strcat(&buf_0x424, en_enable) // [7]
This vulnerability easily leads to the return address of the function being overwritten by arbitrary attacker-controlled data, leading to code execution.
Thread 2.1 "internet.cgi" hit Breakpoint 3, 0x00403ce8 in add_qos ()
(gdb) c
Continuing.
[Detaching after fork from child process 22202]
Thread 2.1 "internet.cgi" received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg
zero at v0 v1 a0 a1 a2 a3
R0 00000000 7772f439 00000000 7772ef28 00000001 7772ef28 00000000 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 00000000 5fd4f28d 81ee0000 00000000 68732e6c 00000000 00000001 226c6d74
s0 s1 s2 s3 s4 s5 s6 s7
R16 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
t8 t9 k0 k1 gp sp s8 ra
R24 00000001 77698440 7773f023 00000000 77734490 7f868288 41414141 41414141
status lo hi badvaddr cause pc
0100fc13 0001b05a 00000222 41414140 50800008 41414141
fcsr fir hi1 lo1 hi2 lo2 hi3 lo3
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dspctl restart
00000000 00000000
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.