CVE-2024-39786,CVE-2024-39787
Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the nas.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00400bfc if (contlenp1 s>= 2)
00400c08 if (contlenp1 s>= 0x200)
00400d58 contlenp1 = 0x200
00400c1c char inpbuf[0x200]
00400c1c memset(&inpbuf, 0, 0x200)
00400c38 fgets(&inpbuf, contlenp1, *stdin)
00400c54 int32_t $v0_8 = web_get("page", &inpbuf, 0)
// [...]
00400c98 else if (strcmp($v0_8, "adddir") == 0)
00400e00 add_dir(&inpbuf, 0x400000)
While our input POST data is limited to 0x200 bytes, if we provide page=adddir, we enter the add_dir function and our provided POST data is further parsed therein.
00401430 int32_t add_dir(int32_t arg1)
// [...]
00401478 int32_t $v0_1 = strdup(web_get("adddir_name", arg1, 0)) // [1]
004014b0 int32_t $v0_3 = strdup(web_get("disk_part", arg1, 0)) // [2]
004014d0 do_system("mkdir -p "%s/%s"", $v0_3, $v0_1)
004014ec do_system("chmod 777 "%s/%s"", $v0_3, $v0_1)
00401508 free_all(2, $v0_1, $v0_3)
00401528 return web_back_parentpage() __tailcall
Since there’s no preamble directory or any sort of filtering on “../” of the input parameters at [1] or [2], we can de facto change the permissions of any file or directory on the system to RWX. This is extremely useful in combination with other vulnerabilities or functionality of the device, as, for instance, the FTP and Samba services cannot add the executable bit to files. Or, if we ended up uploading a script to the web root and wanted it to execute, we would need this execute bit as well. Another example of usefulness is that if we log in as the share user via FTP, we can use this vulnerability to gain access to the entire file system, instead of just what we might normally just be able to access.
00401430 int32_t add_dir(int32_t arg1)
// [...]
00401478 int32_t $v0_1 = strdup(web_get("adddir_name", arg1, 0)) // [1]
// [...]
004014d0 do_system("mkdir -p "%s/%s"", $v0_3, $v0_1)
004014ec do_system("chmod 777 "%s/%s"", $v0_3, $v0_1)
00401508 free_all(2, $v0_1, $v0_3)
00401528 return web_back_parentpage() __tailcall
By providing a relative path containing multiple “../” sequences inside of the adddir_name POST parameter [1], we can change the permissions of any file or directory on the system to RWX.
00401430 int32_t add_dir(int32_t arg1)
// [...]
004014b0 int32_t $v0_3 = strdup(web_get("disk_part", arg1, 0)) // [2]
004014d0 do_system("mkdir -p "%s/%s"", $v0_3, $v0_1)
004014ec do_system("chmod 777 "%s/%s"", $v0_3, $v0_1)
00401508 free_all(2, $v0_1, $v0_3)
00401528 return web_back_parentpage() __tailcall
By providing a relative path containing multiple “../” sequences inside of the disk_part POST parameter [2], we can change the permissions of any file or directory on the system to RWX.
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.