Talos Vulnerability Report

TALOS-2024-2035

Wavlink AC3000 testsave.sh Information Disclosure vulnerability

January 14, 2025

CVE Number

CVE-2024-39773

SUMMARY

An information disclosure vulnerability exists in the testsave.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Wavlink AC3000 M33A8.V5030.210505

PRODUCT URLS

Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

DETAILS

The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.

Due to how the lighttpd server is configured, any .cgi or .sh files located within the /www/cgi-bin webroot directory can be directly run if browsed to in a web browser. Of the files located on the device, there exists the testsave.sh script which will be posted in its entirety below:

#!/bin/sh


#output HTTP header
echo "Pragma: no-cache\n"
echo "Cache-control: no-cache\n"
echo "Content-type: application/octet-stream"
echo "Content-Transfer-Encoding: binary"            #  "\n" make Un*x happy
echo "Content-Disposition: attachment; filename=\"syslog.txt\""
echo ""

echo "#The following line must not be removed."
cat /var/log/messages 2>/dev/null    // [1]
echo ""

As shown above at [1], this script simply dumps /var/log/messages, resulting in a very quick and easy information disclosure when browsed to.

TIMELINE

2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release

Credit

Discovered by Lilith >_> of Cisco Talos.

TALOS-2024-2034

TALOS-2024-2036

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company