Talos Vulnerability Report

SUMMARY

A buffer overflow vulnerability exists in the usbip.cgi set_info() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Wavlink AC3000 M33A8.V5030.210505

PRODUCT URLS

Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html

CVSSv3 SCORE

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

DETAILS

The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.

When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.

Assuming that we’ve passed this check in the usbip.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:

00400f7c                  int32_t is_admin_1 = strcmp(str1: str1_1, str2: "admin")
00400f88                  int32_t $v0_16
00400f88                  int32_t $v0_17
00400f88                  if (is_admin_1 != 0)
00400f98                      $v0_16 = strcmp(str1: str1_1, str2: "login")
00400fa4                      if ($v0_16 == 0)
00401248                          Login(content_buf)
00400fa4                      else
00400fb4                          $v0_17 = strcmp(str1: str1_1, str2: "adminM68PD")
00400fc0                  if (is_admin_1 == 0 || (is_admin_1 != 0 && $v0_16 != 0 && $v0_17 == 0))
0040114c                      set_info(content_buf)

If we provide page=admin or page=adminM68PD, we enter the set_info() function and our provided POST data is further parsed therein:

00401ac0  int32_t set_info(int32_t arg1)

00401b24      int32_t SSID = strdup(web_get("SSID", arg1, 0))        // [1]
00401b5c      int32_t Password = strdup(web_get("Password", arg1, 0))
00401b94      int32_t Channel = strdup(web_get("Channel", arg1, 0))
00401bcc      int32_t TxPower = strdup(web_get("TxPower", arg1, 0))
00401c04      int32_t UsbMode = strdup(web_get("UsbMode", arg1, 0))
00401c3c      int32_t LimitPC = strdup(web_get("LimitPC", arg1, 0))
00401c74      int32_t MAC_PC = strdup(web_get("MAC_PC", arg1, 0))
00401cac      int32_t Manager = strdup(web_get("Manager", arg1, 0))
00401ce4      int32_t ManagerPassword = strdup(web_get("ManagerPassword", arg1, 0))
00401d04      void var_70
00401d04      sprintf(&var_70, "%s_5G", SSID) // [2]
00401d20      void var_b0
00401d20      sprintf(&var_b0, "%s_2G", SSID) // [3]

We don’t need to go particularly far to see our vulnerability here. At [1], the binary grabs an arbitrary length input buffer from our SSID POST parameter and at [2] and [3], directly copies it to the stack without a length check. Since our input buffer can easily reach length 0x70 or 0xb0, we can overwrite the return address of the function with arbitrary data, resulting in code execution.

Crash Information

Thread 2.1 "usbip.cgi" received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) bt
#0  0x41414141 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) info reg
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 00000000 7fc52e84 00005288 00000000 00858008 0085bef8 0085bf08
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   7700b2b4 7700a6e4 00000000 ffffffff 77172000 f0000000 00000001 004020c8
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  0000003e 7700f288 00000000 00000000 77190010 7fc52f38 41414141 41414141
        status       lo       hi badvaddr    cause       pc
      0100fc13 00111044 00000030 41414140 50800008 41414141
          fcsr      fir      hi1      lo1      hi2      lo2      hi3      lo3
      00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        dspctl  restart
      00000000 00000000

TIMELINE

2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release