| عنوان | yealink T46U 108.86.0.118 Stack-based Buffer Overflow |
|---|
| الوصف | Yealink T46U phone firmware `x.x.x.x` contains an off-by-one stack write vulnerability in the Web FastCGI service `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/inner/bttest
```
The endpoint is handled by `mod_webd.BlueToothTest()`. For the `connect` and `disconnect` actions, the handler parses JSON fields including `btMac`, `pin`, and `reserved`, truncates them, and copies them into fixed offsets inside a 256-byte stack buffer. A 127-byte `reserved` value causes the terminating NUL byte from `strcpy()` to be written one byte past the end of the stack buffer.
poc
POST /api/inner/bttest?p=Setting&t=<timestamp>&action=connect HTTP/1.1
Host: <target>
Cookie: JSESSIONID=<valid-session>
X-Csrftoken: <valid-token>
Content-Type: application/json;charset=UTF-8
{"btMac":"00:11:22:33:44:55","pin":"0000","reserved":"<127 bytes>"}
|
|---|
| المصدر | ⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_webd_BlueToothTest_off_by_one.zip |
|---|
| المستخدم | ChiChen241 (UID 98424) |
|---|
| ارسال | 21/05/2026 04:56 AM (26 أيام منذ) |
|---|
| الاعتدال | 14/06/2026 03:54 PM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 370865 [Yealink SIP-T46U 108.86.0.118 Web FastCGI Service /api/inner/bttest mod_webd.BlueToothTest btMac/pin/reserved تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|