2021/02/06

Wavlink Multiple AP Products: Unauthenticated Remote Root Command Execution

 

BACKGROUND

WAVLINK brand is rising rapidly in market of wireless network and comprehensive IT peripherals.


DESCRIPTION

Several Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may be affected.


PROOF OF CONCEPT 

1. CVE-2020-13117 - Remote Root Command Execution via the "key" parameter
  
When the user logins, the "key" parameter value is injected in a command execution without filtering, before checking the authentication. The following picture shows a snippet of the vulnerable code:
 


Due to the lack of sanitization, it is possible to escape from the "echo" command context and execute arbitrary commands as root. For example, the following payload would execute the "whoami" command:

';`whoami;`;#

 

It is important to note that the device registers itself on the network as "wifi.wavlink.com" to make the setup process easier as the user does not have to search the assigned IP, but also allowing to trigger the vulnerability from a remote website without knowing the device IP.


There is a payload size limitation, but it can be bypassed splitting the command into several requests to execute more complex commands.


The following file includes a poc exploit to download and execute a file when visiting a malicious website:

https://drive.google.com/file/d/1k5Q_0cW5WOR4AY1IrkztD8COAwPpEu9O/view?usp=sharing


TIMELINE

April 15, 2020: Contact with Wavlink 
February 6, 2021: After several tries to contact them without success, advisory published.


DISCOVERED BY

Jose Antonio Pérez Piedra