| عنوان | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| الوصف | # A remote stack overflow vulnerability exists in the `singlePortForwardDelete` function of the `firewall.cgi`
component in the Wavlink NU516U1 (V251208) software.
### Overview
Supplier: Wavlink
Product: NU516U1
Version: WAVLINK-NU516U1-A-WO-20251208-BYFM
Type: stack overflow
### **Vulnerability description:**
A stack overflow vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware
(version WAVLINK-NU516U1-A-WO-20251208-BYFM). The vulnerability is located in the **`sub_4016D0`** function that
handles the **Port Forward Delete (`singlePortForwardDelete`)** functionality. When processing the `del_flag`
parameter, the program calls the filter function `sub_405B2C` to check user input. Although this function attempts to
block dangerous characters through a blacklist mechanism, it does not enforce any restriction on input length.
After the input passes validation, the program uses the `sprintf` function to write the user-controlled `del_flag`
value into a fixed-size stack buffer:
```c
sprintf(v5, "uci delete firewall.@redirect[%s]", v2);
Because v5 is a local stack buffer of limited size and sprintf performs no bounds checking, an authenticated remote
attacker can supply an excessively long del_flag value to overflow the stack, corrupt adjacent memory, crash the CGI
process, and potentially achieve arbitrary code execution under certain conditions. |
|---|
| المصدر | ⚠️ https://github.com/havenoideal123/wavlink-vuln/blob/main/firewall/singlePortForwardDelete.md |
|---|
| المستخدم | alex_7 (UID 97263) |
|---|
| ارسال | 11/04/2026 10:28 AM (2 أشهر منذ) |
|---|
| الاعتدال | 09/05/2026 09:55 AM (28 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 346265 [Wavlink WL-NU516U1 حتى 20251208 /cgi-bin/firewall.cgi singlePortForwardDelete del_flag تجاوز الصلاحيات] |
|---|
| النقاط | 0 |
|---|