CVE-2024-39798,CVE-2024-39800,CVE-2024-39799
Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-15 - External Control of System or Configuration Setting
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the openvpn.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00400e9c if (strcmp(webget_vpntype, "client") == 0)
00400f6c openvpn_client_setup(contlen_malloc)
00400e9c else if (strcmp(webget_vpntype, "server") != 0)
00400ee4 opevpn_disbale()
00400eb4 else
00400ebc openvpn_server_setup(contlen_malloc)
As shown above, when we provide vpn_type=server, we enter the openvpn_server_setup function and our provided POST data is further parsed therein.
00401888 int32_t openvpn_server_setup(int32_t arg1)
004018f0 int32_t sel_open_server_val = strdup(web_get("sel_open_server_val", arg1, 0))
00401910 nvram_bufset(0, "openvpn_server_en", $v0_1)
0040192c nvram_bufset(0, "openvpn_mode", "1")
// [...]
00401960 nvram_commit(0)
00401984 if (strcmp(sel_open_server_val, "1") != 0)
00401d68 $a0_10 = "/sbin/openvpn.sh disable&"
00401984 else
0040199c nvram_bufset(0, "openvpn_client_en", &_0)
004019d0 int32_t open_server-name = strdup(web_get("open_server_name", arg1, 0)) // [1]
00401a08 int32_t sel_open_interface_1 = strdup(web_get("sel_open_interface", arg1, 0)) // [2]
00401a40 int32_t open_port_1 = strdup(web_get("open_port", arg1, 0)) // [3]
00401a78 int32_t open_server_username_1 = strdup(web_get("open_server_username", arg1, 0)) // [4]
00401ab0 int32_t open_server_password_1 = strdup(web_get("open_server_password", arg1, 0)) // [5]
00401ae8 int32_t sel_open_protocol_1 = strdup(web_get("sel_open_protocol", arg1, 0)) // [6]
00401b20 int32_t sel_open_guest_val_1 = strdup(web_get("sel_open_guest_val", arg1, 0))
// [...]
00401c08 nvram_bufset(0, "op_server_domain", open_server-name)
00401c24 nvram_bufset(0, "op_server_port", open_port_1)
00401c40 nvram_bufset(0, "op_server_ifname", sel_open_interface_1)
00401c5c nvram_bufset(0, "op_server_username", open_server_username_1)
00401c78 nvram_bufset(0, "op_server_password", open_server_password_1)
00401c94 nvram_bufset(0, "op_server_protocol", sel_open_protocol_1)
00401cb0 nvram_bufset(0, "op_server_guest_en", sel_open_guest_val_1)
00401cd0 int32_t open_server_username_2 = open_server_username_1
00401cd4 int32_t open_server_password_2 = open_server_password_1
00401cdc free_all(7, open_server-name, open_port_1, sel_open_interface_1, open_server_username_2, open_server_password_2, sel_open_protocol_1, sel_open_guest_val_1, 0x426e30)
00401d04 if (atoi(sel_open_guest_val_1) == 1)
004021fc int32_t open_server_password_3 = strdup(web_get("open_guest_username", arg1, 0)) // [7]
00402234 int32_t open_server_password_4 = strdup(web_get("open_guest_password", arg1, 0)) // [8]
0040226c int32_t open_server_password_5 = strdup(web_get("open_guest_usage_time", arg1, 0)) // [9]
// [...]
004022e4 nvram_bufset(0, "op_guest_username", open_server_password_3)
00402300 nvram_bufset(0, "op_guest_password", open_server_password_4)
0040231c nvram_bufset(0, "op_guest_usage_time", open_server_password_5)
// [...] $a0_10 = "/sbin/openvpn.sh server_start&" // [10]
It suffices for the above function to summarize it as: assuming our openvpn_mode POST parameter is “1”, all of the other POST parameters marked above are all thrown into nvram. If our sel_open_guest_val is “1” as well, then we also throw [7], [8], and [9] into nvram. After all this, the binary eventually runs the command listed at [10]. Continuing within /sbin/openvpn.sh server_start, we hit the server_vpn_start function:
server_vpn_start() {
vpn_restart
vpn_start
nvram_set 2860 openvpn_server_en 1
rm /vendor/openvpn/server/server.conf -rf
touch /vendor/openvpn/server/server.conf
PORT=`nvram_get 2860 op_server_port`
DOMAIN=`nvram_get 2860 op_server_domain`
IF_NAME=`nvram_get 2860 op_server_ifname`
USERNAME=`nvram_get 2860 op_server_username`
PASSWORD=`nvram_get 2860 op_server_password`
PROTOCOL=`nvram_get 2860 op_server_protocol`
GUEST_EN=`nvram_get 2860 op_server_guest_en`
echo "$USERNAME $PASSWORD" > /vendor/openvpn/server/pwd_file
# generate server config file
echo "port $PORT" >> /vendor/openvpn/server/server.conf // [11]
echo "proto $PROTOCOL" >> /vendor/openvpn/server/server.conf // [12]
echo "dev $IF_NAME" >> /vendor/openvpn/server/server.conf // [13]
cat /vendor/openvpn/server/server_tmp.conf >> /vendor/openvpn/server/server.conf
# generate client ovpn file
echo "client" > /vendor/openvpn/server/client.ovpn
echo "proto $PROTOCOL" >> /vendor/openvpn/server/client.ovpn
echo "remote $DOMAIN $PORT" >> /vendor/openvpn/server/client.ovpn
echo "dev $IF_NAME" >> /vendor/openvpn/server/client.ovpn
cat /vendor/openvpn/server/client_tmp.conf >> /vendor/openvpn/server/client.ovpn
echo "<ca>" >> /vendor/openvpn/server/client.ovpn
cat /vendor/openvpn/server/ca.crt >> /vendor/openvpn/server/client.ovpn
echo "</ca>" >> /vendor/openvpn/server/client.ovpn
echo "<cert>" >> /vendor/openvpn/server/client.ovpn
cat /vendor/openvpn/server/client.crt >> /vendor/openvpn/server/client.ovpn
echo "</cert>" >> /vendor/openvpn/server/client.ovpn
echo "<key>" >> /vendor/openvpn/server/client.ovpn
cat /vendor/openvpn/server/client.key >> /vendor/openvpn/server/client.ovpn
echo "</key>" >> /vendor/openvpn/server/client.ovpn
// [...]
openvpn --cd /vendor/openvpn/server/ --config server.conf& // [14]
As we clearly see above, our parameters are all read into bash variables and then echoed into various configuration files. For this vulnerability, the ones we really only care about are the $PORT [11], $PROTOCOL [12], and $IF_NAME [13] variables listed above. Since there’s no filtering of newlines at all, we can inject arbitrary configuration via any one of these three variables. As such, if we happen to inject a line like --up '/bin/sh -c "<arb command>"', we can execute arbitrary bash commands when the openvpn binary is run at [14].
00401888 int32_t openvpn_server_setup(int32_t arg1)
004018f0 int32_t sel_open_server_val = strdup(web_get("sel_open_server_val", arg1, 0))
00401910 nvram_bufset(0, "openvpn_server_en", $v0_1)
0040192c nvram_bufset(0, "openvpn_mode", "1")
// [...]
00401960 nvram_commit(0)
00401984 if (strcmp(sel_open_server_val, "1") != 0)
00401d68 $a0_10 = "/sbin/openvpn.sh disable&"
00401984 else
00401ae8 int32_t sel_open_protocol_1 = strdup(web_get("sel_open_protocol", arg1, 0))
// [...]
00401c94 nvram_bufset(0, "op_server_protocol", sel_open_protocol_1)
// [...] $a0_10 = "/sbin/openvpn.sh server_start&"
Continuing within the /sbin/openvpn.sh server_start& script:
server_vpn_start() {
vpn_restart
vpn_start
nvram_set 2860 openvpn_server_en 1
// [...]
PROTOCOL=`nvram_get 2860 op_server_protocol`
// [...]
echo "proto $PROTOCOL" >> /vendor/openvpn/server/server.conf
00401888 int32_t openvpn_server_setup(int32_t arg1)
004018f0 int32_t sel_open_server_val = strdup(web_get("sel_open_server_val", arg1, 0))
00401910 nvram_bufset(0, "openvpn_server_en", $v0_1)
0040192c nvram_bufset(0, "openvpn_mode", "1")
// [...]
00401960 nvram_commit(0)
00401984 if (strcmp(sel_open_server_val, "1") != 0)
00401d68 $a0_10 = "/sbin/openvpn.sh disable&"
00401984 else
00401a08 int32_t sel_open_interface_1 = strdup(web_get("sel_open_interface", arg1, 0))
// [...]
00401c40 nvram_bufset(0, "op_server_ifname", sel_open_interface_1)
// [...] $a0_10 = "/sbin/openvpn.sh server_start&"
Continuing within the /sbin/openvpn.sh server_start& script:
server_vpn_start() {
// [...]
IF_NAME=`nvram_get 2860 op_server_ifname`
// [...]
echo "dev $IF_NAME" >> /vendor/openvpn/server/server.conf
00401888 int32_t openvpn_server_setup(int32_t arg1)
004018f0 int32_t sel_open_server_val = strdup(web_get("sel_open_server_val", arg1, 0))
00401910 nvram_bufset(0, "openvpn_server_en", $v0_1)
0040192c nvram_bufset(0, "openvpn_mode", "1")
// [...]
00401960 nvram_commit(0)
00401984 if (strcmp(sel_open_server_val, "1") != 0)
00401d68 $a0_10 = "/sbin/openvpn.sh disable&"
00401984 else
// [...]
00401a40 int32_t open_port_1 = strdup(web_get("open_port", arg1, 0))
// [...]
00401c24 nvram_bufset(0, "op_server_port", open_port_1)
// [...] $a0_10 = "/sbin/openvpn.sh server_start&"
Continuing within the /sbin/openvpn.sh server_start& script:
server_vpn_start() {
// [...]
PORT=`nvram_get 2860 op_server_port`
// [...]
echo "port $PORT" >> /vendor/openvpn/server/server.conf
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.