CVE-2024-21797
A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the adm.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00401a28 else if (strcmp(webget_page, "TR069") == 0)
00401b84 set_TR069(contlen_buf)
If we provide page=TR069, we enter the set_TR069 function and our provided POST data is further parsed therein:
00408d70 int32_t set_TR069(int32_t arg1)
00408db8 void var_140
00408db8 memset(&var_140, 0, 0x100)
00408df0 int32_t $v0_1 = strdup(web_get("TR069_local_enable", arg1, 0))
00408e28 int32_t $v0_3 = strdup(web_get("TR069_acs_url", arg1, 0))
00408e5c int32_t $v0_5 = strdup(web_get("TR069_acs_username", arg1, 0))
00408e90 int32_t $v0_7 = strdup(web_get("TR069_acs_password", arg1, 0))
00408ec4 int32_t TR069_local_port = strdup(web_get("TR069_local_port", arg1, 0)) // [1]
00408ef8 int32_t $v0_10 = strdup(web_get("TR069_local_username", arg1, 0))
00408f2c int32_t $v0_12 = strdup(web_get("TR069_local_password", arg1, 0))
00408f64 int32_t $v0_14 = strdup(web_get("TR069_acs_periodic_interval", arg1, 0))
00408f9c int32_t $v0_16 = strdup(web_get("TR069_acs_periodic_enable", arg1, 0))
00408fbc nvram_bufset(0, "TR069_local_enable", $v0_1)
00408fd8 nvram_bufset(0, "TR069_acs_url", $v0_3)
00408ff4 nvram_bufset(0, "TR069_acs_username", $v0_5)
00409010 nvram_bufset(0, "TR069_acs_password", $v0_7)
0040902c nvram_bufset(0, "TR069_local_port", TR069_local_port)
00409048 nvram_bufset(0, "TR069_local_username", $v0_10)
00409064 nvram_bufset(0, "TR069_local_password", $v0_12)
00409080 nvram_bufset(0, "TR069_acs_periodic_enable", $v0_16)
00409090 if (sx.d(*$v0_14) != 0)
004091f4 nvram_bufset(0, "TR069_acs_periodic_interval", $v0_14)
004090a0 nvram_commit(0)
004090bc sprintf(&var_140, "iptables -t filter -I INPUT -p tcp --dport %s -j A…", TR069_local_port) // [2]
004090d4 system(&var_140)
004090f0 sprintf(&var_140, "iptables -t filter -I INPUT -p udp --dport %s -j A…", TR069_local_port) // [3]
00409108 system(&var_140)
00409130 if (access("/tmp/web_log", 0) == 0)
00409184 int32_t $v0_20 = fopen("/dev/console", &data_415758)
00409190 if ($v0_20 != 0)
004091bc fprintf($v0_20, "%s:%s:%d:start easycwmpd................\n\n", "adm.c", "set_TR069", 0x8aa)
004091d4 fclose($v0_20)
00409170 return do_system("easycwmpd &")
At [1], the binary copies our TR069_local_port POST parameter to the heap and then at [2] and [3], copies our input buffer to the stack in order to run some iptables commands. As there is no input filtering at all on the parameter provided, we can easily inject subshell commands to be run by /bin/sh.
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.