| Título | Wavlink NU516U1 V260227 Stack-based Buffer Overflow |
|---|
| Descripción | Stack-based Buffer Overflow Vulnerability via in Main Entry Function of Component on Wavlink NU516U1 (V260227)Content-Lengthftextnas.cgi
Vulnerability Overview
Vendor: Wavlink
Product: NU516U1
Affected Version: WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade (Firmware Version: M16U1_V260227) [Latest Version]
Vulnerability Type: Stack-based Buffer Overflow (CWE-121)
Product Purpose: USB Printer Server
Firmware Download Link: https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=WL-NU516U1-A
Vulnerability Entry Point: component/cgi-bin/nas.cgi
Default Login Password: admin
Vulnerability Basic Information
Vulnerable Function: (i.e., the main entry parsing function of the program)ftextnas.cgi
Vulnerability Point: fgets(v11, n2, stdin);
Trigger Parameter: The field in the HTTP request header and the corresponding ultra-long POST request body.Content-Length
Prerequisites: Very low. The vulnerability occurs during the initial HTTP request body reading phase of the program, prior to specific business logic and deeper execution branches.
Vulnerability Description
In the latest firmware of the Wavlink NU516U1 router, a severe security flaw exists in the main entry function of the component. When attempting to read the HTTP POST request body, the program fails to perform any effective bounds checking on the input length.ftext/cgi-bin/nas.cgi
Specifically, the program allocates a fixed-size buffer of 516 bytes on the stack. Subsequently, the program retrieves the environment variable (which is completely controlled by the field in the client's HTTP request header) and converts it into an integer . Following this, the program directly calls , attempting to read data of length from standard input and store it into .v11CONTENT_LENGTHContent-Lengthn2fgets(v11, n2, stdin)n2v11
Because the program completely trusts the provided by the attacker, when an attacker declares a value greater than 516 (e.g., 2000) in the request header and appends malicious data of the corresponding length in the request body, the function will unrestrictedly write excess data into the 516-byte stack space. This will instantly break through the buffer boundary, submerge the saved registers on the stack frame, and precisely overwrite the return address (). Consequently, the program's execution flow is hijacked, allowing the attacker to achieve Remote Code Execution (RCE).Content-Lengthfgets$ra |
|---|
| Fuente | ⚠️ https://github.com/Wlz1112/WAVLINK-NU516U1-V260227/blob/main/Content-Length.md |
|---|
| Usuario | haimianbaobao (UID 94979) |
|---|
| Sumisión | 2026-03-10 11:58 (hace 22 días) |
|---|
| Moderación | 2026-03-25 17:31 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 353192 [Wavlink WL-NU516U1 260227 /cgi-bin/nas.cgi ftext Content-Length desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|