| タイトル | wavlink NU516U1 WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade (Firmware Version: M16U1_V260227) Command Injection |
|---|
| 説明 | ## **Vulnerability description:**
A remote command execution vulnerability exists in the `/cgi-bin/login.cgi` component in Wavlink NU516U1 router firmware (version V260227). The vulnerability is located in the **`sub_4012D0`** function that handles the **login (`page=login`)** functionality.
When processing the `ipaddr` parameter, the program first invokes the filter function **`sub_405A3C`**. However, this function only performs a blacklist-based character check and does **not** reject control characters such as line feed (`\n`) or carriage return (`\r`). If a remote attacker supplies a crafted `ipaddr` value containing a newline, the program enters the normal execution path and uses `sprintf` to construct a shell command with attacker-controlled input:
```c
snprintf(v29, 128, "/sbin/applogin.sh del %s >/dev/null 2>&1", v9);
system(v29);
```
Because `v9` is fully attacker-controlled and is inserted into a shell command **without quoting or strict allowlist validation**, an attacker can inject an additional shell command by using a URL-encoded newline such as `%0a`. This results in **remote command execution**.
Notably, based on validation in the target environment, **a valid session cookie is not required** to reach the vulnerable command execution path. The attacker only needs to provide the correct administrator password information required by the `page=login` logic.
### Vulnerability details
**Affected component**: `/cgi-bin/login.cgi`
**Affected functions**: `sub_4012D0` (main vulnerable logic), `sub_405A3C` (insufficient validation)
In the `main` function, the program reads POST data from `stdin`, extracts the `page` parameter from user-controlled input, and dispatches execution according to its value. When the `page` parameter is set to `login`, the program calls `sub_4012D0`.
---
### Main logic execution: `sub_4012D0` (trigger point of the vulnerability)
This function acts as the vulnerable handler. It trusts the output of the blacklist filter and then places attacker-controlled input into a shell command executed via `system()`.
- **Data flow**:
1. **Get input**: The function retrieves multiple HTTP parameters through `sub_4041BC`, including `ipaddr`, `hostname`, `key`, and `password_vlaue`.
2. **Duplicate input**: The returned `ipaddr` value is duplicated using `strdup` and stored in `v9`.
3. **Call filter**: The program invokes `sub_405A3C(v9)` to determine whether the input contains any blocked characters.
4. **Password verification**: The program combines the attacker-controlled `key` with the configured administrator password, computes an MD5 value, and compares the first 32 bytes against the attacker-supplied `password_vlaue`.
5. **Unsafe command construction**: If the password check succeeds, the function performs the following operation:
```c
snprintf(v29, 128, "/sbin/applogin.sh del %s >/dev/null 2>&1", v9);
system(v29);
```
6. **Command injection occurs**: Since `v19` is attacker-controlled and is not quoted, a newline decoded from `%0a` is interpreted by the shell as a command separator. |
|---|
| ソース | ⚠️ https://github.com/havenoideal123/wavlink-vuln/blob/main/login/login-rce.md |
|---|
| ユーザー | alex_7 (UID 97263) |
|---|
| 送信 | 2026年04月11日 12:04 (2 月 ago) |
|---|
| モデレーション | 2026年05月10日 16:33 (29 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 325131 [Wavlink WL-NU516U1 240425 /cgi-bin/login.cgi sub_4012A0 ipaddr 特権昇格] |
|---|
| ポイント | 0 |
|---|