CVE-2024-36258
A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user()
function in each individual .cgi binary which will check the session
cookie of the HTTP request to see if it’s coming from a validly logged in user.
In the case of the touchlink_sync.cgi
binary, there’s not actually a call to check_valid_user()
, so the only requirement to hit any of the vulnerabilities herein is a network connection. With that in mind, let us actually delve into the main functionality of this binary:
00400ab0 int32_t main(int32_t argc, char** argv, char** envp)
00400af0 char* qstr = getenv(name: "QUERY_STRING") // [1]
00400b0c char* AccessControlList2_nvram = nvram_bufget(2, "AccessControlList2")
00400b54 if (strcmp(str1: web_get("getACL", qstr, 0), str2: "1") != 0) // [2]
00400c28 int32_t var_600
00400c28 char* tmp
00400c28 if (access("/tmp/web_log") == 0)
//[...]
00400c40 int32_t IP = web_get("IP", qstr, 0) // [3]
00400c58 putchar(char_: '1')
00400c68 if (zx.d(*IP) != 0)
00400c78 char* str1 = nvram_bufget(0, "MeshMode")
00400c94 int32_t $v0_9 = nvram_bufget(0, "lan_ipaddr")
00400cb0 int32_t is_MeshMode = strcmp(str1, str2: "1")
00400cbc void cmd_to_run
00400cbc char result_str[0x481]
00400cbc void* popen_results
00400cbc int32_t $v0_22
00400cbc void* stream_3
00400cbc if (is_MeshMode == 0) // [4]
00400ed0 // -m is just max time
00400ed0 sprintf(&cmd_to_run, "curl -s -m 5 http://%s/cgi-bin/touchlist_sync.cgi?getACL=1", IP) // [5]
00400ef4 if (access("/tmp/web_log") == 0)
// [...]
00400f08 popen_results = popen(&cmd_to_run, "r") // [6]
At [1], the binary immediately grabs the QUERY_STRING
environment variable (which is how lighttpd passes in data to .cgi
files), and the query string is searched for the getACL
parameter at [2]. Assuming this either not found or is equal to anything but “1”, we enter the branch at [2]. Our query string is then again parsed at [3], except now we search for the IP
parameter. Assuming this is found and is non-null, we continue on to the branch at [4], where by the IP address we provide is inserted into a curl command at [5] and then subsequently executed at [6]. Continuing on:
00400f18 if (popen_results != 0)
00400f34 while (true)
00400f48 if (fgets(str: &result_str, n: 0x481, stream: popen_results) == 0) // [7]
00400f48 break
00400f64 if (strcmp(str1: &result_str, str2: &_0) == 0)
00400bf0 return 0
00400f74 if (sx.d(result_str[0]) == 0)
00400bf0 return 0
00400f88 if (access("/tmp/web_log") == 0)
// [...]
00400fac if (strchr(str: &result_str, c: ':') != 0 && strchr(str: &result_str, c: ';') != 0) // [8]
00400fc8 touchlistsync(server_resp: &result_str) // [9]
Since we control the IP address that the curl request is sent to, we should also control the data within the HTTP response. This response is read in as 0x481 chunks at [7] and each chunk is checked to see if it contains a ‘;’ character and a ‘:’ character. Assuming this is true, we enter the touchlistsync()
function at [9] with our length 0x481 chunk of data passed in:
004018cc int32_t touchlistsync(char* server_resp)
00401914 char* acl2 = nvram_bufget(2, "AccessControlList2")
00401930 nvram_bufget(0, "MeshMode")
0040194c char acl2_1[0x200]
0040194c strcpy(dest: &acl2_1, src: acl2)
00401964 char sresp[0x200]
00401964 strcpy(dest: &sresp, src: server_resp)
0040197c char sresp2[0x200] // 0x480 here
0040197c strcpy(dest: &sresp2, src: server_resp) // [10]
004019a0 char (* var_b48)[0x200]
004019a0 if (access("/tmp/web_log") == 0)
// [...]
004019b0 if (sx.d(sresp2[0]) != 0)
00401cd8 char* i = strtok(str: &sresp2, delim: ";") // [11]
00401ce4 if (i != 0)
00401d40 do
00401d04 char cmd_to_run[0x80]
00401d04 sprintf(&cmd_to_run, "iwpriv rax2 set ACLAddEntry="%s"", i) // [12]
00401d1c do_system(&cmd_to_run) // [13]
00401d34 i = strtok(str: nullptr, delim: ";")
00401d40 while (i != 0)
Our input is copied into a sufficiently sized stack buffer at [10] and then we iterate over all of the semi-colon delimited values therein at [11]. Each value is inserted into an iwpriv
command at [12], which we immediately execute at [13]. Since it does not matter if this input command is actually valid, and it also does not matter how many semi-colons we have within our buffer, we can continue down to another loop even with 200+ semicolons:
004019d4 if (sx.d(our_inp_copy2_[0]) != 0)
00401b3c char* stack_strtok = strtok(str: &our_inp_copy2_, delim: ";")
00401b4c char* written_in = stack_strtok
00401b48 if (stack_strtok != 0)
00401b54 int32_t ctr_offset_m2__ = ctr << 1
00401b50 int32_t ctr_offset_m2__1
00401b50 char* written_in_1
00401b50 int32_t is_str_in_list
00401b50 int32_t ctr_offset_m16_
00401b50 if (ctr != 0)
00401bc0 do // [14]
00401b58 ctr_offset_m16_ = ctr << 4
00401b5c ctr_offset_m2__1 = ctr_offset_m2__
00401b64 int32_t inc_by_0x12_1 = 0
00401b68 is_str_in_list = 1
00401b90 do
00401b84 int32_t is_same_str = neg.d(0 u< strncasecmp(&final_buf[inc_by_0x12_1], written_in, 0x11) ? 1 : 0)
00401b88 inc_by_0x12_1 = inc_by_0x12_1 + 0x12
00401b94 is_str_in_list = is_str_in_list & is_same_str
00401b90 while (inc_by_0x12_1 != ctr_offset_m2__ + ctr_offset_m16_)
00401b98 if (is_str_in_list != 0)
00401b98 break
00401bac label_401bac: // [15]
00401bac written_in_1 = strtok(str: nullptr, delim: ";")
00401bbc written_in = written_in_1
00401bb8 if (written_in_1 == 0)
00401bb8 break
00401bc4 ctr_offset_m2__ = ctr << 1
00401bc0 while (ctr != 0) // [16]
00401b98 if (ctr == 0 || (ctr != 0 && is_str_in_list == 0 && not(is_str_in_list == 0 && written_in_1 == 0)))
00401bc8 ctr_offset_m2__1 = 0
00401bcc ctr_offset_m16_ = 0
00401be8 // assuming it writes in if it wasn't
00401be8 // already found in the list...
00401be8 label_401be8:
00401be8 sprintf(&final_buf[ctr_offset_m2__1 + ctr_offset_m16_], "%s;", written_in) // [17]
00401bf8 ctr = ctr + 1 // s7 ==> 0xf5
00401bf4 goto label_401bac
00401b98 if (ctr != 0 && is_str_in_list != 0)
00401b98 goto label_401be8
Having finally reached our vulnerable piece of code, let us summarize the code flow. At [14] we enter a loop that continues as long as the the ctr
variable is not zero [15]. It iterates over every set of bytes in between our semi-colons and checks a stack buffer to see if that set of bytes is already in the char final_buff[0x400]
stack buffer at stack offset -0x480. Assuming that the given set of bytes from our input is not already within the final_buff
buffer, it is appended to the end with the sprintf at [17]. Then it goes back up to the label at [15], strtok’s again, and restarts the loop. Thus, we end up copying every unique semi-colon input-separated input into the final buffer. While our input buffer is only 0x400 bytes, and the final buffer is appropriately 0x400 bytes as well, as shown in the lines immediately following [14], every semicolon in our input ends up advancing the destination of the copy inside of the final buffer by 0x12 bytes regardless of how many bytes are between the semicolons. Thus, an input of ;1;2;3
, would copy “1” to offset 0x0, “2” to offset 0x12, “3” to offset 0x24, etc. Thus, we can have short inputs in order to advance the destination of the sprintf
copy further than the 0x400 bounds of the final_buff
buffer, and successfully overwrite the return address for the function with arbitrary bytes.
Thread 2.1 "touchlist_sync." received signal SIGSEGV, Segmentation fault.
0x41414343 in ?? ()
(gdb) info reg
zero at v0 v1 a0 a1 a2 a3
R0 00000000 00000000 00007f00 ffffffff 00000003 7fb1e6bc 00000000 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 00000000 00000000 00000000 00000000 00000001 00000000 00000000 00000000
s0 s1 s2 s3 s4 s5 s6 s7
R16 3b4cf41c 00400000 00400000 77947410 0072a980 42424242 42424242 42424242
t8 t9 k0 k1 gp sp s8 ra
R24 00000000 77881450 00000010 00000000 7791e490 7fb1f2c0 42424242 41414343
status lo hi badvaddr cause pc
0100fc13 00000400 00000000 41414342 50800008 41414343
fcsr fir hi1 lo1 hi2 lo2 hi3 lo3
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dspctl restart
00000000 00000000
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.