| Título | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| Descrição | ## **Stack-based Buffer Overflow in Wavlink NU516U1 (V251208) via "time_zone" parameter on adm.cgi interface of adm.cgi component**
------
### **Overview**
- **Vendor**: Wavlink
- **Product**: NU516U1
- **Version**: WAVLINK-NU516U1-A-WO-20251208-BYFM
- **Vulnerability Type**: Stack-based Buffer Overflow
- **Product Purpose**: USB Printer Server
- **Firmware Download**: https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=all
- **Default Password**: `admin`
------
### **Vulnerability Information**
- **Vulnerable Function**: `sub_40785C` (Handles NTP and Timezone settings)
- **Vulnerability Point**: `strcpy(v31, v4);`
- **Trigger Parameter**: `time_zone` (corresponds to `v4`)
- **Prerequisite**: `dstEnabled` must be set to `"1"` to enter the vulnerable branch.
------
### **Vulnerability Description**
Under the MIPS 32-bit architecture, this function allocates a fixed-size buffer `v31` (16 bytes) on the stack. The program uses `sub_40B2F8` to extract the `time_zone` string directly from the user's POST request. Prior to executing the `strcpy` copy operation, the program performs no validation on the length of the user-supplied string. An attacker can send a string exceeding 15 bytes (leaving 1 byte for `\x00`) to break the boundaries of `v31`, sequentially overwriting adjacent local variables, saved register values, and finally the return address (`$ra`) on the stack. When the function attempts to return, the execution flow is hijacked to an address controlled by the attacker. |
|---|
| Fonte | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/time_zone.md |
|---|
| Utilizador | haimianbaobao (UID 94979) |
|---|
| Submissão | 03/02/2026 16h25 (há 3 meses) |
|---|
| Moderação | 15/02/2026 20h40 (12 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 346172 [Wavlink WL-NU516U1 20251208 /cgi-bin/adm.cgi sub_40785C time_zone Excesso de tampão] |
|---|
| Pontos | 20 |
|---|