| Título | Wavlink NU516U1 V240425 Stack-based Buffer Overflow |
|---|
| Descripción | ⚠️ DISAMBIGUATION NOTICE:
NOT A DUPLICATE OF CVE-2026-2567 Please be advised that this submission is distinct from CVE-2026-2567 and should not be marked as a duplicate. While both vulnerabilities involve a stack-based buffer overflow in the Wavlink WL-NU516U1, they apply to different firmware builds:
CVE-2026-2567: Affects firmware version 20251208.
This Submission: Affects the distinctly earlier firmware version 20240425 (V240425).
Because the memory layout, stack offsets, and underlying compiled binaries differ entirely between these dates, the exploitation conditions and crash behaviors are unique. Please evaluate this report based on the specific context of the V240425 firmware.
Stack Buffer Overflow Vulnerability in Wavlink NU516U1 (V240425) nas.cgi Component via "User1Passwd" Parameter in sub_4011E8 Function
Overview
Vendor: Wavlink
Product: NU516U1
Version: WAVLINK-NU516U1-WO-A-2024-04-25-b516aec-GDBYFM
Type: Stack Buffer Overflow
Usage: USB Printer Server / Wireless Router
Firmware Download: https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=WL-NU516U1-A
Default Password: admin
Basic Vulnerability Information
Vulnerable Binary: /cgi-bin/nas.cgi
Vulnerable Function: sub_4011E8 (Main handler for NAS settings) and its called helper function sub_405050 (String escape processing).
Vulnerability Point: String concatenation logic inside the helper function sub_405050 (similar to strcat or sprintf appending).
Trigger Parameter: User1Passwd (Corresponds to v2 -> v3 in the code).
Prerequisites:
The attacker possesses a valid Login Session (Cookie).
The request parameter includes page=nas.
Vulnerability Description
When handling NAS (Storage Management) setting requests, the sub_4011E8 function in nas.cgi is responsible for parsing user requests. This function retrieves the user-submitted POST parameter User1Passwd via sub_403708 and copies it to heap memory v3.
Subsequently, v3 is passed to the helper function sub_405050 with the intention of storing the processed (usually escaping special characters) string into a fixed-size buffer v6 allocated on the stack. According to code analysis, the size of v6 is confirmed to be 128 bytes via memset(v6, 0, 128).
The helper function sub_405050 exhibits a "character expansion" effect when processing the input string (e.g., adding an escape character \ before a character, causing the length to double). Since this function lacks boundary checks for the target buffer size when writing data to v6, an attacker only needs to provide a User1Passwd exceeding a certain threshold (approximately 64 bytes or more); the data length after expansion will exceed 128 bytes, thereby overflowing the v6 buffer.
The overflowed data will overwrite other local variables on the stack and eventually overwrite the function's return address ($ra). When the sub_4011E8 function finishes execution and prepares to return, the program will jump to the address tampered with by the attacker, resulting in Remote Code Execution (RCE) or Denial of Service (DoS). |
|---|
| Fuente | ⚠️ https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/User1Passwd.md |
|---|
| Usuario | haimianbaobao (UID 94979) |
|---|
| Sumisión | 2026-03-07 12:58 (hace 2 meses) |
|---|
| Moderación | 2026-03-21 09:15 (14 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 346174 [Wavlink WL-NU516U1 20251208 /cgi-bin/nas.cgi sub_401218 User1Passwd desbordamiento de búfer] |
|---|
| Puntos | 0 |
|---|