CVE-2024-39280
An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Wavlink AC3000 M33A8.V5030.210505
Wavlink AC3000 - https://www.wavlink.com/en_us/product/WL-WN533A8.html
9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-15 - External Control of System or Configuration Setting
The Wavlink AC3000 wireless router is predominately one of the most popular gigabit routers in the US, in part due to both its potential wireless and wired speed capabilities and extremely low price point (costing at the time of this writing ~$60 USD). Among the configuration options, it’s also able to act as a standalone wireless gateway, a basic network router, or a wireless repeater.
When interacting with and configuring the Wavlink AC3000 wifi router, as is typical of most wifi routers, an administrator logs in via some web portal and configures appropriate options via the HTTP interface. In the case of this particular router, and in another somewhat common execution pattern, these HTML pages can invoke .cgi binaries due to how the lighttpd server is configured. Since all of these .shtml and .cgi files are located in the web root, anyone with network access to the device doesn’t actually need to log in to the device to interact with these .cgi files, and it usually is the responsibility of the .cgi binary to check if the authentication is completed successfully. On this device, one will see a check_valid_user() function in each individual .cgi binary which will check the session cookie of the HTTP request to see if it’s coming from a validly logged in user.
Assuming that we’ve passed this check in the nas.cgi binary, we then run into a set of functions that we can call based off of what we pass for the page= parameter in our HTTP POST request. Of the available commands, we focus on the following:
00400bfc if (contlenp1 s>= 2)
00400c08 if (contlenp1 s>= 0x200)
00400d58 contlenp1 = 0x200
00400c1c char inpbuf[0x200]
00400c1c memset(&inpbuf, 0, 0x200)
00400c38 fgets(&inpbuf, contlenp1, *stdin)
00400c54 int32_t $v0_8 = web_get("page", &inpbuf, 0)
// [...]
00400c7c else if (strcmp($v0_8, &smb) == 0)
00400d5c set_smb_cfg(&inpbuf)
While our input POST data is limited to 0x200 bytes, if we provide page=smb, we enter the set_smb_cfg function and our provided POST data is further parsed therein.
00401370 int32_t set_smb_cfg(int32_t arg1)
0040138c web_debug_header()
004013c4 nvram_bufset(0, "SmbEnabled", web_get("smb_enabled", arg1, 1)) // [1]
004013fc nvram_bufset(0, "SmbNetBIOS", web_get("smb_netbios", arg1, 1)) // [2]
00401414 nvram_commit(0)
00401428 return set_smb() __tailcall
00401030 int32_t set_smb()
00401050 nvram_bufget(0, "Login")
0040106c return do_system("storage.sh samba") __tailcall // [3]
An extremely short set of functions, we take our two HTTP POST parameters smb_enabled and smb_netbios at [1] and [2] respectively, throw them into nvram and then hit the call to storage.sh samba at [3]:
"samba")
if [ "$CONFIG_NF_SHORTCUT_HOOK" = "y" ]; then
rmmod nf_sc
fi
killall -q nmbd
killall -q smbd
smp.sh wifi
echo 3 > /proc/sys/vm/drop_caches
echo 2048 > /proc/sys/vm/min_free_kbytes
if [ ! -e "$PART1" ]; then
rm /etc/smb.conf
echo "1st partition does not exist"
exit 0
fi
smbenabled=`nvram_get 2860 SmbEnabled`
if [ "$smbenabled" == "1" ]; then
rm /etc/smb.conf
setSmb
Assuming our smb_enabled argument is “1”, then the script deletes the existing /etc/smb.conf [4] and regenerates it within setSmb()[5]:
setSmb()
{
killall smbd
killall nmbd
smbnetbios=`nvram_get 2860 SmbNetBIOS`
smbwg=`nvram_get 2860 HostName`
echo "samba.sh "$smbnetbios" "$smbwg" "$PART1""
samba.sh "$smbnetbios" "$smbwg" "$PART1"
The smbd and nmbd services are killed and we run the samba.sh script with our input smb_netbios[2] argument from before as the second parameter. Continuing in samba.sh:
#!/bin/sh
. /sbin/config.sh
opmode=`nvram_get 2860 OperationMode`
SAMBA_FILE=/etc/smb.conf
// [...]
NETBIOS_NAME="$1"
WORKGROUP="$2"
LOGPATH="$3"
echo "$LOGPATH"
echo "[global]
min receivefile size = 8192
use sendfile = yes
use mmap = yes
load printers = no
netbios name = $NETBIOS_NAME // [6]
server string = Samba Server
workgroup = admin2860
security = user
log file = /var/log.samba
encrypt passwords = yes
disable spoolss = yes
host msdfs = no
strict allocate = No
os level = 20
log level = 0
max log size = 100
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
guest account = share
bind interfaces only = no" > $SAMBA_FILE
As quite apparent, our input is directly written into the /etc/smb.conf file at [6]. Since there’s no character filtering on our input string, we can utilize newlines to write in entirely arbitrary samba configuration. The most efficient way to gain shell access from this vulnerability is to utilize the root preexec configuration line, which allows us to put arbitrary shell commands to be run whenever someone connects to the samba server, however there are also other ways of leveraging this power.
2024-07-25 - Initial Vendor Contact
2024-07-29 - Requesting reply from vendor
2024-07-30 - Vendor confirms receipt
2024-07-30 - Vendor Disclosure
2024-07-30 - Vendor confirms receipt
2024-09-02 - Status update request sent
2024-10-15 - Status update request. Upcoming expiration date announced.
2024-10-22 - Vendor replies product has been discontinued, but patches are being worked on
2024-11-04 - Status update request for patch release dates
2024-11-12 TALOS advisory release date announced
2025-01-14 - Public Release
Discovered by Lilith >_> of Cisco Talos.