| 제목 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow |
|---|
| 설명 | Yealink T46U phone firmware `x.x.x.x` contains a stack buffer overflow vulnerability in the accessory firmware chunk upload handler of `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/upgrade/accupgradebychunk
```
The vulnerable handler is `mod_upgrade.SparePartsUpload()`. During the `finish` phase, the request-controlled `uid` value is inserted into a fixed-size stack buffer with `sprintf()` without length validation. The `upload` phase also uses request-controlled path fragments to construct a rename destination.
poc
POST /api/upgrade/prepareaccessories?p=Upgrade&t=<timestamp> HTTP/1.1
...
POST /api/upgrade/accupgradebychunk?p=Upgrade&t=<timestamp> HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
type=headsetrom&phase=finish&uid=<long-string> |
|---|
| 원천 | ⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip |
|---|
| 사용자 | CookedMelon (UID 52513) |
|---|
| 제출 | 2026. 05. 20. PM 05:36 (29 날 ago) |
|---|
| 모더레이션 | 2026. 06. 14. PM 03:54 (25 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 370863 [Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload uid 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|