| Titre | WAVLINK NU516U1 M16U1_V260515 OS Command Injection |
|---|
| Description | CSRF Authentication Bypass Chained with Stored Command Injection (RCE) in WAVLINK NU516U1 Router Firmware WO-A-2026-05-15-708c073 (MT7628 / MIPS 24KEc, lighttpd).
Two-stage stored command injection in adm.cgi: Step 1 (page=lan) stores user-supplied `lan_ip` into UCI winstar.system.lan_ipaddr via wlink_uci_set_value() without sanitization. Step 2 (page=openDHCP) reads the persisted value from UCI, concatenates it into an `ifconfig br-lan %s` command via sprintf(), and executes it through system() — shell metacharacter `;` enables arbitrary command execution. The payload persists in /etc/config/winstar between requests.
All three CSRF defenses are defeated, enabling full remote exploitation via a single malicious webpage:
1) No SameSite Attribute — login.cgi's make_cookie_string() @ 0x405728 sets `Set-Cookie: session=%s; Path=/` without SameSite=Strict, so cross-site <form> POST top-level navigations carry the session cookie. check_valid_user() @ 0x40A4CC validates the session by matching HTTP_COOKIE against /tmp/loginuser, so any logged-in admin visiting a malicious page automatically passes authentication.
2) No CSRF Tokens — adm.cgi main() @ 0x400FD0 dispatches to 20+ page handlers (lan, openDHCP, set_sys_adm, reboot, loaddefault, auto_upgrade, etc.) without requiring any anti-CSRF token in the POST body.
3) Bypassable Referer Check — check_csrf_referer() @ 0x40B394 validates HTTP_REFERER via strstr() sub-string matching against LAN/WAN IPs and user-configured domain names. strstr() performs only substring matching without URL parsing, so hosting the malicious page on a domain containing the router's LAN IP (e.g., 192.168.10.1.evil.com) satisfies the check: strstr("http://192.168.10.1.evil.com/", "192.168.10.1") returns a match.
Verified via static binary analysis (IDA Pro / MIPS decompilation) and dynamic testing on EMUX-emulated firmware with pwndbg. PoC HTML page provided. Input validation bypass, shell metacharacter injection, and authentication bypass are all demonstrated with code-level evidence. |
|---|
| La source | ⚠️ https://github.com/0xcc12138/wavlink-nu516u1-csrf-command-injection- |
|---|
| Utilisateur | 0xcc12138 (UID 97530) |
|---|
| Soumission | 04/06/2026 09:15 (il y a 1 mois) |
|---|
| Modérer | 12/07/2026 08:26 (1 month later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 377842 [Wavlink WL-NU516U1 260515 /cgi-bin/adm.cgi wlink_uci_set_value lan_ip élévation de privilèges] |
|---|
| Points | 20 |
|---|