Отправить #751908: Wavlink NU516U1 V251208 Stack-based Buffer OverflowИнформация

НазваниеWavlink NU516U1 V251208 Stack-based Buffer Overflow
Описание# **Stack Buffer Overflow Vulnerability in Wavlink NU516U1 (V251208) adm.cgi Component via "firmware_url" Parameter in sub_406194 Function** **Overview** - **Vendor:** Wavlink - **Product:** NU516U1 - **Version:** WAVLINK-NU516U1-A-WO-20251208-BYFM - **Type:** Stack Buffer Overflow - **Product Usage:** USB Printer Server - **Firmware Download:** https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=all - **Default Password:** admin **Vulnerability Basic Information** - **Vulnerable Function:** `sub_406194` (OTA upgrade handling) and its called helper function `sub_40CCA0` (character escaping). - **Vulnerability Point:** `strcat(a2, v7)` within the `sub_40CCA0` function. - **Trigger Parameter:** `firmware_url` (corresponds to `v11` -> `v18` in the code). - **Prerequisites:** - The attacker possesses a valid login Session (Cookie). - The `brand`, `model`, and `md5` parameters in the request must contain valid characters to bypass the `sub_40CB5C` blacklist check. **Vulnerability Description** When handling OTA firmware upgrade requests, the `sub_406194` function retrieves the user-submitted `firmware_url` parameter and calls the helper function `sub_40CCA0` to process this URL, intending to store the result in a fixed-size buffer `v18` (size 260 bytes) allocated on the stack. The core of the vulnerability lies in the logic flaw of the helper function `sub_40CCA0`: it iterates through the input string and forcibly adds a backslash `\` before every character for escaping (e.g., input `A` becomes `\A`), causing the data length to expand to twice its original size. Subsequently, the function uses `strcat` to append the expanded data to the target buffer without performing any target buffer boundary checks. An attacker only needs to send a `firmware_url` exceeding 130 bytes (exceeding 260 bytes after expansion) to cause the `v18` buffer to overflow. The overflowed data will sequentially overwrite local variables on the stack, Saved Registers (s0-s7), and finally overwrite the function's return address (`$ra`). When the function attempts to return, the execution flow will be hijacked, leading to Remote Code Execution (RCE) or Denial of Service (DoS). consult:https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/firmware_url.md
Источник⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/firmware_url.md
Пользователь
 haimianbaobao (UID 94979)
Представление04.02.2026 10:06 (3 месяцы назад)
Модерация15.02.2026 20:40 (11 days later)
Статуспринято
Запись VulDB346173 [Wavlink WL-NU516U1 до 130/260 /cgi-bin/adm.cgi sub_406194 firmware_url повреждение памяти]
Баллы20

ПредыдущийОбзорДалее

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!