Vendor of the products:WAVLINK
Reported by: FeiXincheng(FXC030618@outlook.com) && WangJincheng(wjcwinmt@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m
Affected products:WAVLINK WL-WN575A3
Affected firmware version: RPT75A3.V4300.201217
Vendor Homepage: https://www.wavlink.com/en_us
Vendor Advisory: https://www.wavlink.com/en_us/firmware/details/fac744bd61.html
CVE_ID:CVE-2022-37149
WAVLINK WL-WN575A3 was discovered to contain a command injection vulnerability when operate the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.
Wavlink WL-WN575A3 s a AC1200 Dual-band Wi-Fi Range Extender. The test version here is RPT75A3.V4300.201217
The vulnerability is detected at /etc_ro/lighttpd/www/cgi-bin/adm.cgi
At first, from the _startentry enters, and then the ftext function is executed.
In the function ftext, we find that we can controll the content of page field is sysinit, we can execute the set_sys_init function.
In the function set_sys_init, the program uses function web_get to obtain the content of parameter username , newpass which are sent by POST request. Then, when newpass!= 0, the content username is formatted into a string passed as an argument to the function do_system which can execute system commands.
Send the following to the URL http://wifi.wavlink.com/cgi-bin/adm.cgi by POST request.
page=sysinit&username=fxc`ls>/etc_ro/lighttpd/www/fxc.html`
