Talos Vulnerability Report

TALOS-2024-2046

Wavlink AC3000 touchlist_sync.cgi touchlistsync() buffer overflow vulnerability

January 14, 2025
CVE Number

CVE-2024-36258

SUMMARY

A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Wavlink AC3000 M33A8.V5030.210505

PRODUCT URLS

Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html

CVSSv3 SCORE

10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.

When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.

In the case of the touchlink_sync.cgi binary, there’s not actually a call to check_valid_user(), so the only requirement to hit any of the vulnerabilities herein is a network connection. With that in mind, let us actually delve into the main functionality of this binary:

00400ab0  int32_t main(int32_t argc, char** argv, char** envp)

00400af0      char* qstr = getenv(name: "QUERY_STRING")                               // [1]
00400b0c      char* AccessControlList2_nvram = nvram_bufget(2, "AccessControlList2")
00400b54      if (strcmp(str1: web_get("getACL", qstr, 0), str2: "1") != 0)           // [2]
00400c28          int32_t var_600
00400c28          char* tmp
00400c28          if (access("/tmp/web_log") == 0)
//[...]
00400c40          int32_t IP = web_get("IP", qstr, 0)               // [3]
00400c58          putchar(char_: '1')
00400c68          if (zx.d(*IP) != 0)
00400c78              char* str1 = nvram_bufget(0, "MeshMode")
00400c94              int32_t $v0_9 = nvram_bufget(0, "lan_ipaddr")
00400cb0              int32_t is_MeshMode = strcmp(str1, str2: "1")
00400cbc              void cmd_to_run
00400cbc              char result_str[0x481]
00400cbc              void* popen_results
00400cbc              int32_t $v0_22
00400cbc              void* stream_3
00400cbc              if (is_MeshMode == 0)                          // [4]
00400ed0                  // -m is just max time
    00400ed0                  sprintf(&cmd_to_run, "curl -s -m 5 http://%s/cgi-bin/touchlist_sync.cgi?getACL=1", IP)  // [5]
00400ef4                  if (access("/tmp/web_log") == 0)
// [...]
00400f08                  popen_results = popen(&cmd_to_run, "r")  //  [6]

At [1], the binary immediately grabs the QUERY_STRING environment variable (which is how lighttpd passes in data to .cgi files), and the query string is searched for the getACL parameter at [2]. Assuming this either not found or is equal to anything but “1”, we enter the branch at [2]. Our query string is then again parsed at [3], except now we search for the IP parameter. Assuming this is found and is non-null, we continue on to the branch at [4], where by the IP address we provide is inserted into a curl command at [5] and then subsequently executed at [6]. Continuing on:

00400f18                  if (popen_results != 0)
00400f34                      while (true)
00400f48                          if (fgets(str: &result_str, n: 0x481, stream: popen_results) == 0)   // [7]
00400f48                              break
00400f64                          if (strcmp(str1: &result_str, str2: &_0) == 0)
00400bf0                              return 0
00400f74                          if (sx.d(result_str[0]) == 0)
00400bf0                              return 0
00400f88                          if (access("/tmp/web_log") == 0)
// [...]
00400fac                          if (strchr(str: &result_str, c: ':') != 0 && strchr(str: &result_str, c: ';') != 0) // [8]
00400fc8                              touchlistsync(server_resp: &result_str)  // [9]

Since we control the IP address that the curl request is sent to, we should also control the data within the HTTP response. This response is read in as 0x481 chunks at [7] and each chunk is checked to see if it contains a ‘;’ character and a ‘:’ character. Assuming this is true, we enter the touchlistsync() function at [9] with our length 0x481 chunk of data passed in:

004018cc  int32_t touchlistsync(char* server_resp)
00401914      char* acl2 = nvram_bufget(2, "AccessControlList2")
00401930      nvram_bufget(0, "MeshMode")
0040194c      char acl2_1[0x200]
0040194c      strcpy(dest: &acl2_1, src: acl2)
00401964      char sresp[0x200]  
00401964      strcpy(dest: &sresp, src: server_resp)  
0040197c      char sresp2[0x200]  // 0x480 here
0040197c      strcpy(dest: &sresp2, src: server_resp)   // [10]
004019a0      char (* var_b48)[0x200]
004019a0      if (access("/tmp/web_log") == 0)
// [...] 
004019b0      if (sx.d(sresp2[0]) != 0)
00401cd8          char* i = strtok(str: &sresp2, delim: ";") // [11]
00401ce4          if (i != 0)
00401d40              do
00401d04                  char cmd_to_run[0x80]
00401d04                  sprintf(&cmd_to_run, "iwpriv rax2 set ACLAddEntry="%s"", i) // [12]
00401d1c                  do_system(&cmd_to_run)                                      // [13]
00401d34                  i = strtok(str: nullptr, delim: ";")
00401d40              while (i != 0)

Our input is copied into a sufficiently sized stack buffer at [10] and then we iterate over all of the semi-colon delimited values therein at [11]. Each value is inserted into an iwpriv command at [12], which we immediately execute at [13]. Since it does not matter if this input command is actually valid, and it also does not matter how many semi-colons we have within our buffer, we can continue down to another loop even with 200+ semicolons:

004019d4      if (sx.d(our_inp_copy2_[0]) != 0)
00401b3c          char* stack_strtok = strtok(str: &our_inp_copy2_, delim: ";")
00401b4c          char* written_in = stack_strtok
00401b48          if (stack_strtok != 0)
00401b54              int32_t ctr_offset_m2__ = ctr << 1
00401b50              int32_t ctr_offset_m2__1
00401b50              char* written_in_1
00401b50              int32_t is_str_in_list
00401b50              int32_t ctr_offset_m16_
00401b50              if (ctr != 0)
00401bc0                  do                                           // [14]
00401b58                      ctr_offset_m16_ = ctr << 4
00401b5c                      ctr_offset_m2__1 = ctr_offset_m2__
00401b64                      int32_t inc_by_0x12_1 = 0
00401b68                      is_str_in_list = 1
00401b90                      do
00401b84                          int32_t is_same_str = neg.d(0 u< strncasecmp(&final_buf[inc_by_0x12_1], written_in, 0x11) ? 1 : 0)
00401b88                          inc_by_0x12_1 = inc_by_0x12_1 + 0x12
00401b94                          is_str_in_list = is_str_in_list & is_same_str
00401b90                      while (inc_by_0x12_1 != ctr_offset_m2__ + ctr_offset_m16_)
00401b98                      if (is_str_in_list != 0)
00401b98                          break
00401bac                      label_401bac: // [15]
00401bac                      written_in_1 = strtok(str: nullptr, delim: ";")
00401bbc                      written_in = written_in_1
00401bb8                      if (written_in_1 == 0)
00401bb8                          break
00401bc4                      ctr_offset_m2__ = ctr << 1
00401bc0                  while (ctr != 0)  // [16]
00401b98              if (ctr == 0 || (ctr != 0 && is_str_in_list == 0 && not(is_str_in_list == 0 && written_in_1 == 0)))
00401bc8                  ctr_offset_m2__1 = 0
00401bcc                  ctr_offset_m16_ = 0
00401be8                  // assuming it writes in if it wasn't
00401be8                  // already found in the list...
00401be8                  label_401be8:
00401be8                  sprintf(&final_buf[ctr_offset_m2__1 + ctr_offset_m16_], "%s;", written_in)   // [17]
00401bf8                  ctr = ctr + 1  // s7 ==> 0xf5
00401bf4                  goto label_401bac
00401b98              if (ctr != 0 && is_str_in_list != 0)
00401b98                  goto label_401be8

Having finally reached our vulnerable piece of code, let us summarize the code flow. At [14] we enter a loop that continues as long as the the ctr variable is not zero [15]. It iterates over every set of bytes in between our semi-colons and checks a stack buffer to see if that set of bytes is already in the char final_buff[0x400] stack buffer at stack offset -0x480. Assuming that the given set of bytes from our input is not already within the final_buff buffer, it is appended to the end with the sprintf at [17]. Then it goes back up to the label at [15], strtok’s again, and restarts the loop. Thus, we end up copying every unique semi-colon input-separated input into the final buffer. While our input buffer is only 0x400 bytes, and the final buffer is appropriately 0x400 bytes as well, as shown in the lines immediately following [14], every semicolon in our input ends up advancing the destination of the copy inside of the final buffer by 0x12 bytes regardless of how many bytes are between the semicolons. Thus, an input of ;1;2;3, would copy “1” to offset 0x0, “2” to offset 0x12, “3” to offset 0x24, etc. Thus, we can have short inputs in order to advance the destination of the sprintf copy further than the 0x400 bounds of the final_buff buffer, and successfully overwrite the return address for the function with arbitrary bytes.

Crash Information

Thread 2.1 "touchlist_sync." received signal SIGSEGV, Segmentation fault.
0x41414343 in ?? ()

(gdb) info reg
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 00000000 00007f00 ffffffff 00000003 7fb1e6bc 00000000 00000000
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   00000000 00000000 00000000 00000000 00000001 00000000 00000000 00000000
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  3b4cf41c 00400000 00400000 77947410 0072a980 42424242 42424242 42424242
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  00000000 77881450 00000010 00000000 7791e490 7fb1f2c0 42424242 41414343
        status       lo       hi badvaddr    cause       pc
      0100fc13 00000400 00000000 41414342 50800008 41414343
          fcsr      fir      hi1      lo1      hi2      lo2      hi3      lo3
      00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        dspctl  restart
      00000000 00000000
TIMELINE

2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release

Credit

Discovered by Lilith >_> of Cisco Talos.