जमा करें #802827: Wavlink NU516U1 V251208 Stack-based Buffer Overflow
| शीर्षक | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|---|
| विवरण | # A remote stack overflow vulnerability exists in the `singlePortForwardDelete` function of the `firewall.cgi` component in the Wavlink NU516U1 (V251208) software. ### Overview Supplier: Wavlink Product: NU516U1 Version: WAVLINK-NU516U1-A-WO-20251208-BYFM Type: stack overflow ### **Vulnerability description:** A stack overflow vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware (version WAVLINK-NU516U1-A-WO-20251208-BYFM). The vulnerability is located in the **`sub_4016D0`** function that handles the **Port Forward Delete (`singlePortForwardDelete`)** functionality. When processing the `del_flag` parameter, the program calls the filter function `sub_405B2C` to check user input. Although this function attempts to block dangerous characters through a blacklist mechanism, it does not enforce any restriction on input length. After the input passes validation, the program uses the `sprintf` function to write the user-controlled `del_flag` value into a fixed-size stack buffer: ```c sprintf(v5, "uci delete firewall.@redirect[%s]", v2); Because v5 is a local stack buffer of limited size and sprintf performs no bounds checking, an authenticated remote attacker can supply an excessively long del_flag value to overflow the stack, corrupt adjacent memory, crash the CGI process, and potentially achieve arbitrary code execution under certain conditions. |
| स्रोत | ⚠️ https:/ |
| उपयोगकर्ता | alex_7 (UID 97263) |
| सबमिशन | 11/04/2026 10:28 AM (2 महीनों पहले) |
| संयम | 09/05/2026 09:55 AM (28 days later) |
| स्थिति | प्रतिलिपि |
| VulDB प्रविष्टि | 346265 [Wavlink WL-NU516U1 तक 20251208 /cgi-bin/firewall.cgi singlePortForwardDelete del_flag अधिकार वृद्धि] |
| अंक | 0 |