Wavlink Command Injection (CVE-2022–23900)
TL/DR:
The Wavlink WL-WN531P3 router exposes an API endpoint susceptible to command injection. This API endpoint is reachable without an authentication header, meaning the vulnerability can be exploited by an unauthenticated attacker. Furthermore, the router has no CSRF protection, thus RCE can be achieved without connecting to the local network.
Vulnerability Description and Discovery:
The router hosts an API that is used to accept requests made from within the Admin portal. One thing a user can do from within this portal is send a ping command. An example has been included below:
Because ping is a well-known bash command, we may immediately begin to theorize about the possibility of command injection.
Command Injection Explanation:
For those unfamiliar with command injection, here is a quick rundown:
Let’s take the above ping functionality and walk through what could be happening between the web portal and the router.
- You as the user input the IP you wish to ping.
- The Admin portal sends a request to the router with the IP you specified.
