| タイトル | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| 説明 | # A remote stack overflow vulnerability exists in the `singlePortForwardDelete` function of the `firewall.cgi`
component in the Wavlink NU516U1 (V251208) software.
### Overview
Supplier: Wavlink
Product: NU516U1
Version: WAVLINK-NU516U1-A-WO-20251208-BYFM
Type: stack overflow
### **Vulnerability description:**
A stack overflow vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware
(version WAVLINK-NU516U1-A-WO-20251208-BYFM). The vulnerability is located in the **`sub_4016D0`** function that
handles the **Port Forward Delete (`singlePortForwardDelete`)** functionality. When processing the `del_flag`
parameter, the program calls the filter function `sub_405B2C` to check user input. Although this function attempts to
block dangerous characters through a blacklist mechanism, it does not enforce any restriction on input length.
After the input passes validation, the program uses the `sprintf` function to write the user-controlled `del_flag`
value into a fixed-size stack buffer:
```c
sprintf(v5, "uci delete firewall.@redirect[%s]", v2);
Because v5 is a local stack buffer of limited size and sprintf performs no bounds checking, an authenticated remote
attacker can supply an excessively long del_flag value to overflow the stack, corrupt adjacent memory, crash the CGI
process, and potentially achieve arbitrary code execution under certain conditions. |
|---|
| ソース | ⚠️ https://github.com/havenoideal123/wavlink-vuln/blob/main/firewall/singlePortForwardDelete.md |
|---|
| ユーザー | alex_7 (UID 97263) |
|---|
| 送信 | 2026年04月11日 10:28 (2 月 ago) |
|---|
| モデレーション | 2026年05月09日 09:55 (28 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 346265 [Wavlink WL-NU516U1 迄 20251208 /cgi-bin/firewall.cgi singlePortForwardDelete del_flag 特権昇格] |
|---|
| ポイント | 0 |
|---|