CVE-2024-39793,CVE-2024-39795,CVE-2024-39794
Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-15 - External Control of System or Configuration Setting
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the nas.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00400bfc if (contlenp1 s>= 2)
00400c08 if (contlenp1 s>= 0x200)
00400d58 contlenp1 = 0x200
00400c1c char inpbuf[0x200]
00400c1c memset(&inpbuf, 0, 0x200)
00400c38 fgets(&inpbuf, contlenp1, *stdin)
00400c54 int32_t $v0_8 = web_get("page", &inpbuf, 0)
// [...]
00400d08 else if (strcmp($v0_8, "nas") == 0)
00400d2c set_nas(&inpbuf)
While our input POST data is limited to 0x200 bytes, if we provide page=nas, we enter the set_nas function and our provided POST data is further parsed therein.
00401864 int32_t set_nas(int32_t arg1)
00401890 web_debug_header()
004018c4 int32_t User1Passwd = strdup(web_get("User1Passwd", arg1, 0))
004018ec int32_t User1Passwd_1
// [...]
004018fc if (sx.d(*User1Passwd) != 0)
004019fc do_system("chpasswd.sh %s %s", "share", User1Passwd)
00401a18 nvram_bufset(0, "User1Passwd", User1Passwd)
00401a30 nvram_commit(0)
00401a68 nvram_bufset(0, "FtpEnabled", web_get("ftp_enabled", arg1, 1))
00401aa0 nvram_bufset(0, "FtpName", web_get("ftp_name", arg1, 1))
00401ad8 nvram_bufset(0, "FtpAnonymous", web_get("ftp_anonymous", arg1, 1))
00401b10 nvram_bufset(0, "FtpPort", web_get("ftp_port", arg1, 1))
00401b48 nvram_bufset(0, "FtpMaxSessions", web_get("ftp_max_sessions", arg1, 1))
00401b80 nvram_bufset(0, "FtpAddDir", web_get("ftp_adddir", arg1, 1))
00401bb8 nvram_bufset(0, "FtpRename", web_get("ftp_rename", arg1, 1))
00401bf0 nvram_bufset(0, "FtpRemove", web_get("ftp_remove", arg1, 1))
00401c28 nvram_bufset(0, "FtpRead", web_get("ftp_read", arg1, 1))
00401c60 nvram_bufset(0, "FtpWrite", web_get("ftp_write", arg1, 1))
00401c98 nvram_bufset(0, "FtpDownload", web_get("ftp_download", arg1, 1))
00401cd0 nvram_bufset(0, "FtpUpload", web_get("ftp_upload", arg1, 1))
00401d08 nvram_bufset(0, "SmbEnabled", web_get("smb_enabled", arg1, 1))
00401d40 nvram_bufset(0, "HostName", web_get("smb_workgroup", arg1, 1))
00401d78 nvram_bufset(0, "SmbNetBIOS", web_get("smb_netbios", arg1, 1))
00401d90 nvram_commit(0)
00401da8 do_system("storage.sh ftp")
As shown above, a large number of HTTP POST parameters are read in from our request and then immediately stored into nvram. To see the implications of this we must examine what the call to storage.sh ftp does :
setFtp()
{
ftpname=`nvram_get 2860 FtpName`
ftpport=`nvram_get 2860 FtpPort`
ftpguest=`nvram_get 2860 FtpAnonymous`
ftpmax=`nvram_get 2860 FtpMaxSessions`
ftpadddir=`nvram_get 2860 FtpAddDir`
ftprename=`nvram_get 2860 FtpRename`
ftpremove=`nvram_get 2860 FtpRemove`
ftpread=`nvram_get 2860 FtpRead`
ftpwrite=`nvram_get 2860 FtpWrite`
ftpdownload=`nvram_get 2860 FtpDownload`
ftpupload=`nvram_get 2860 FtpUpload`
admID=`nvram_get 2860 Login`
admPW=`nvram_get 2860 Password`
ip=`nvram_get 2860 lan_ipaddr`
echo "proftpd.sh server "$ftpname" $ip $ftpport $ftpmax"
proftpd.sh server "$ftpname" $ip $ftpport $ftpmax // [1]
We reach the setFtp function quite quickly and some of our inputs are read into bash variables and then passed into the proftpd.sh server ... call at [1]. Continuing into this new script:
if [ "$1" == "server" ]; then
if [ ! -n "$5" ]; then
Usage
else
SERVER_NAME="$2"
IP_ADDR="$3"
TCP_PORT="$4"
MAX_CONN="$5"
setFtpServer // [2]
fi
We hit this branch and then enter the setFtpServer function at [2]:
setFtpServer()
{
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
echo "ServerName $SERVER_NAME" > $PROFTPD_FILE // [3]
echo "DefaultAddress $IP_ADDR" >> $PROFTPD_FILE
echo "ServerType standalone" >> $PROFTPD_FILE
echo "DefaultServer on" >> $PROFTPD_FILE
echo "AuthUserFile /etc/passwd" >> $PROFTPD_FILE
#ScoreboardFile /etc/proftpd.scoreboard
# Port 21 is the standard FTP port.
echo "Port $TCP_PORT" >> $PROFTPD_FILE // [4]
PART1=`mount | grep "/media/" | sed 's/^.*media/\/media/g' | sed 's/ type.*$//g' | sed -n '1p'`
PART2=`mount | grep "/media/" | sed 's/^.*media/\/media/g' | sed 's/ type.*$//g'`
echo "MaxInstances $MAX_CONN" >> $PROFTPD_FILE // [5]
Without going further, we can see the most important parts at [3], [4], and [5], as we directly control these particular inputs. Since there’s no newline filtering on what we pass into these variables, we can directly inject proftpd configuration into /etc/proftpd.conf. While there might be more enterprising uses of this the easiest is to just inject a line of DefaultRoot /, such that the proftpd server can act upon the entire filesystem, instead of the expected /media/ folder that is in the default configuration. As such this grants us directory traversal to any directory that is accessible to the user we login with, which can quickly lead to gaining a shell on the system.
00401864 int32_t set_nas(int32_t arg1)
00401890 web_debug_header()
004018c4 int32_t User1Passwd = strdup(web_get("User1Passwd", arg1, 0))
004018ec int32_t User1Passwd_1
// [...]
004018fc if (sx.d(*User1Passwd) != 0)
// [...]
00401aa0 nvram_bufset(0, "FtpName", web_get("ftp_name", arg1, 1))
// [...]
00401da8 do_system("storage.sh ftp")
Continuing in storage.sh ftp:
setFtp()
{
ftpname=`nvram_get 2860 FtpName`
// [...]
echo "proftpd.sh server "$ftpname" $ip $ftpport $ftpmax"
proftpd.sh server "$ftpname" $ip $ftpport $ftpmax
Continuing in proftpd.sh server ...:
if [ "$1" == "server" ]; then
if [ ! -n "$5" ]; then
Usage
else
SERVER_NAME="$2"
// [...]
setFtpServer
fi
Continuing in thesetFtpServer function:
setFtpServer()
{
echo "ServerName $SERVER_NAME" > $PROFTPD_FILE
// [...]
00401864 int32_t set_nas(int32_t arg1)
00401890 web_debug_header()
004018c4 int32_t User1Passwd = strdup(web_get("User1Passwd", arg1, 0))
004018ec int32_t User1Passwd_1
// [...]
004018fc if (sx.d(*User1Passwd) != 0)
// [...]
00401b10 nvram_bufset(0, "FtpPort", web_get("ftp_port", arg1, 1))
// [...]
00401da8 do_system("storage.sh ftp")
Continuing in storage.sh ftp:
setFtp()
{
// [...]
ftpport=`nvram_get 2860 FtpPort`
// [...]
echo "proftpd.sh server "$ftpname" $ip $ftpport $ftpmax"
proftpd.sh server "$ftpname" $ip $ftpport $ftpmax
Continuing in proftpd.sh server ...:
if [ "$1" == "server" ]; then
if [ ! -n "$5" ]; then
Usage
else
// [...]
TCP_PORT="$4"
// [...]
setFtpServer
fi
Continuing in thesetFtpServer function:
setFtpServer()
{
// [...]
echo "Port $TCP_PORT" >> $PROFTPD_FILE
00401864 int32_t set_nas(int32_t arg1)
00401890 web_debug_header()
004018c4 int32_t User1Passwd = strdup(web_get("User1Passwd", arg1, 0))
004018ec int32_t User1Passwd_1
// [...]
004018fc if (sx.d(*User1Passwd) != 0)
// [...]
00401b48 nvram_bufset(0, "FtpMaxSessions", web_get("ftp_max_sessions", arg1, 1))
// [...]
00401da8 do_system("storage.sh ftp")
Continuing in storage.sh ftp:
setFtp()
{
// [...]
ftpmax=`nvram_get 2860 FtpMaxSessions`
echo "proftpd.sh server "$ftpname" $ip $ftpport $ftpmax"
proftpd.sh server "$ftpname" $ip $ftpport $ftpmax
Continuing in proftpd.sh server ...:
if [ "$1" == "server" ]; then
if [ ! -n "$5" ]; then
Usage
else
// [...]
MAX_CONN="$5"
setFtpServer
fi
Continuing in thesetFtpServer function:
setFtpServer()
{
// [...]
echo "MaxInstances $MAX_CONN" >> $PROFTPD_FILE
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.