| शीर्षक | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| विवरण | # **Stack Buffer Overflow Vulnerability in Wavlink NU516U1 (V251208) adm.cgi Component via "firmware_url" Parameter in sub_406194 Function**
**Overview**
- **Vendor:** Wavlink
- **Product:** NU516U1
- **Version:** WAVLINK-NU516U1-A-WO-20251208-BYFM
- **Type:** Stack Buffer Overflow
- **Product Usage:** USB Printer Server
- **Firmware Download:** https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=all
- **Default Password:** admin
**Vulnerability Basic Information**
- **Vulnerable Function:** `sub_406194` (OTA upgrade handling) and its called helper function `sub_40CCA0` (character escaping).
- **Vulnerability Point:** `strcat(a2, v7)` within the `sub_40CCA0` function.
- **Trigger Parameter:** `firmware_url` (corresponds to `v11` -> `v18` in the code).
- **Prerequisites:**
- The attacker possesses a valid login Session (Cookie).
- The `brand`, `model`, and `md5` parameters in the request must contain valid characters to bypass the `sub_40CB5C` blacklist check.
**Vulnerability Description**
When handling OTA firmware upgrade requests, the `sub_406194` function retrieves the user-submitted `firmware_url` parameter and calls the helper function `sub_40CCA0` to process this URL, intending to store the result in a fixed-size buffer `v18` (size 260 bytes) allocated on the stack.
The core of the vulnerability lies in the logic flaw of the helper function `sub_40CCA0`: it iterates through the input string and forcibly adds a backslash `\` before every character for escaping (e.g., input `A` becomes `\A`), causing the data length to expand to twice its original size. Subsequently, the function uses `strcat` to append the expanded data to the target buffer without performing any target buffer boundary checks.
An attacker only needs to send a `firmware_url` exceeding 130 bytes (exceeding 260 bytes after expansion) to cause the `v18` buffer to overflow. The overflowed data will sequentially overwrite local variables on the stack, Saved Registers (s0-s7), and finally overwrite the function's return address (`$ra`). When the function attempts to return, the execution flow will be hijacked, leading to Remote Code Execution (RCE) or Denial of Service (DoS).
consult:https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/firmware_url.md
|
|---|
| स्रोत | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/firmware_url.md |
|---|
| उपयोगकर्ता | haimianbaobao (UID 94979) |
|---|
| सबमिशन | 04/02/2026 10:06 AM (3 महीनों पहले) |
|---|
| संयम | 15/02/2026 08:40 PM (11 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 346173 [Wavlink WL-NU516U1 तक 130/260 /cgi-bin/adm.cgi sub_406194 firmware_url बफ़र ओवरफ़्लो] |
|---|
| अंक | 20 |
|---|