CVE-2024-39803,CVE-2024-39801,CVE-2024-39802
Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the qos.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00400ce0 int32_t $v0_9 = web_get("page", $v0_7, 0)
00400d08 if (strcmp($v0_9, "qos") == 0)
00400e34 qos_settings($v0_7)
If we provide page=qos, we enter the qos_settings function and our provided POST data is further parsed therein:
00401100 int32_t qos_settings(int32_t arg1)
00401158 int32_t sel_qos_1 = strdup(web_get("sel_qos", arg1, 0))
00401190 int32_t qos_num_1 = strdup(web_get("qos_num", arg1, 0))
004011c8 int32_t qos_baandwidth = strdup(web_get("qos_bandwidth", arg1, 0)) // [1]
00401200 int32_t qos_dat_2 = strdup(web_get("qos_dat", arg1, 0)) // [2]
00401238 int32_t sel_mode_2 = strdup(web_get("sel_mode", arg1, 0)) // [3]
00401254 char cmdtorun[0x500]
00401254 memset(&cmdtorun, 0, 0x500)
00401274 if (zx.d(*sel_qos_1) != '1')
// [...]
00401274 else
0040136c nvram_bufset(0, "hwnatEnabled", "0")
00401388 nvram_bufset(0, "qos_mode", sel_mode_2)
004013a4 int32_t qos_strtok = strtok(qos_baandwidth, ",") // [4]
004013c0 int32_t second_strtok = strtok(0, ",") // [5]
004013d4 if (qos_strtok != 0 && second_strtok != 0)
004013e8 if (zx.d(*sel_mode_2) == 0x30)
0040147c sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh limit_setup", qos_dat_2, second_strtok, qos_strtok, 0x425d20) // [6]
004013e8 else
00401404 sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh mode_setup", sel_mode_2, second_strtok, qos_strtok, 0x425d20) // [7]
0040141c system("/sbin/hw_nat.sh disable")
// [...]
00401454 do_system(&cmdtorun)
Among the different POST parameters that this function can read in, we see most importantly that the qos_bandwidth, qos_dat and sel_mode fields are read in to the heap without length checking at [1], [2], and [3]. The qos_bandwidth field gets separated by a “,” char at [4] and [5], but then everything is joined back together with sprintf at [6] or [7], depending on our sel_mode parameter. Since our input qos_bandwidth, sel_mode, and qos_dat fields can easily reach 0x520 bytes (the stack offset of the cmdtorun buffer), we can overflow and overwrite the return address of the function, resulting in arbitrary code execution.
00401100 int32_t qos_settings(int32_t arg1)
// [...]
004011c8 int32_t qos_baandwidth = strdup(web_get("qos_bandwidth", arg1, 0))
// [...]
00401274 if (zx.d(*sel_qos_1) != '1')
// [...]
00401274 else
// [...]
004013a4 int32_t qos_strtok = strtok(qos_baandwidth, ",")
004013c0 int32_t second_strtok = strtok(0, ",")
004013d4 if (qos_strtok != 0 && second_strtok != 0)
004013e8 if (zx.d(*sel_mode_2) == 0x30)
0040147c sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh limit_setup", qos_dat_2, second_strtok, qos_strtok, 0x425d20)
004013e8 else
00401404 sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh mode_setup", sel_mode_2, second_strtok, qos_strtok, 0x425d20)
The qos_bandwidth POST parameter overflows the cmdtorun buffer, resulting in arbitrary code execution.
Thread 2.1 "qos.cgi" hit Breakpoint 4, 0x00401360 in qos_settings ()
(gdb) bt
#0 0x00401360 in qos_settings ()
#1 0x41414141 in ?? ()
Backtrace stopped: frame did not save the PC
(gdb) c
Continuing.
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x41414141
(gdb) info reg
zero at v0 v1 a0 a1 a2 a3
R0 00000000 00000000 7fd2aa3c 00005288 00000000 0082fad8 0082f570 0082f580
t0 t1 t2 t3 t4 t5 t6 t7
R8 77da32b4 77da26e4 00000000 ffffffff 77f0a000 f0000000 00000001 00401344
s0 s1 s2 s3 s4 s5 s6 s7
R16 41414141 41414141 41414141 41414141 41414141 41414141 0043183c ffffffff
t8 t9 k0 k1 gp sp s8 ra
R24 00000041 77da7288 00000010 00000000 77f28010 7fd2aa20 00450000 41414141
status lo hi badvaddr cause pc
0100fc13 00111044 00000030 0041ddf8 50800024 00401360
fcsr fir hi1 lo1 hi2 lo2 hi3 lo3
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dspctl restart
00000000 00000000
00401100 int32_t qos_settings(int32_t arg1)
// [...]
00401200 int32_t qos_dat_2 = strdup(web_get("qos_dat", arg1, 0))
00401238 int32_t sel_mode_2 = strdup(web_get("sel_mode", arg1, 0))
// [...]
00401274 if (zx.d(*sel_qos_1) != '1')
// [...]
00401274 else
// [...]
004013d4 if (qos_strtok != 0 && second_strtok != 0)
004013e8 if (zx.d(*sel_mode_2) == 0x30)
0040147c sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh limit_setup", qos_dat_2, second_strtok, qos_strtok, 0x425d20)
The qos_dat POST parameter overflows the cmdtorun buffer, resulting in arbitrary code execution.
00401100 int32_t qos_settings(int32_t arg1)
// [...]
00401238 int32_t sel_mode_2 = strdup(web_get("sel_mode", arg1, 0))
00401254 char cmdtorun[0x500]
00401254 memset(&cmdtorun, 0, 0x500)
00401274 if (zx.d(*sel_qos_1) != '1')
// [...]
00401274 else
// [...]
004013d4 if (qos_strtok != 0 && second_strtok != 0)
004013e8 if (zx.d(*sel_mode_2) == 0x30)
0040147c sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh limit_setup", qos_dat_2, second_strtok, qos_strtok, 0x425d20)
004013e8 else
00401404 sprintf(&cmdtorun, "%s %s %s %s", "/sbin/qos_script.sh mode_setup", sel_mode_2, second_strtok, qos_strtok, 0x425d20)
The sel_mode POST parameter overflows the cmdtorun buffer, resulting in arbitrary code execution.
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.