Submit #759226: Wavlink NU516U1 V251208 Stack-based Buffer Overflowinfo

TitleWavlink NU516U1 V251208 Stack-based Buffer Overflow
Description# Wavlink NU516U1 (V251208) login.cgi Component sub_401A10 Function Stack Buffer Overflow Vulnerability via "ipaddr" Parameter **Overview** - **Vendor:** Wavlink - **Product:** NU516U1 - **Version:** WAVLINK-NU516U1-A-WO-20251208-BYFM (V251208) - **Type:** Stack Buffer Overflow - **Product Usage:** USB Printer Server / Wireless Router - **Firmware Download Link:** https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=WL-NU516U1-A - **Default Login Password:** admin ### Basic Vulnerability Information - **Vulnerable Function:** `sub_401A10` (handles the `sys_login1` interface) - **Vulnerability Point:** `sprintf(v18, "web 2860 sys addUser \"%s\"", v4);` - **Trigger Parameter:** `ipaddr` (corresponds to `v4` in the code) - **Prerequisites:** The submitted `password` parameter must match the MD5 hash of the administrator password, and a valid Session Cookie is required. ### Vulnerability Description In the Wavlink NU516U1 firmware version V251208, although the vendor attempted to fix a command injection vulnerability from previous versions (by introducing the `sub_4059BC` filter function), the `sub_401A10` function within the `/cgi-bin/login.cgi` component still contains a severe stack buffer overflow vulnerability. Inside the function, a fixed-size buffer `v18` of 128 bytes is defined on the stack. After the MD5 password verification passes, the program calls `sub_4059BC` to filter characters in the user-input `ipaddr` parameter. However, this filter function only checks for illegal special characters (such as `;`, `|`, etc.) and completely fails to check the length of the input string. An attacker can construct an overly long string composed of legal characters (such as the letter 'A') to bypass the filter. The program then uses the `sprintf` function to concatenate this parameter directly into the `v18` buffer. Since `sprintf` does not limit the length of the written data, when the length of `ipaddr` exceeds approximately 106 bytes, an out-of-bounds write occurs, overwriting adjacent local variables on the stack and the function's Return Address ($ra). This causes the CGI process to crash (Segmentation Fault), resulting in a Denial of Service (DoS), and under specific conditions, could potentially be exploited to achieve Remote Code Execution (RCE).
Source⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/ipaddr.md
User
 haimianbaobao (UID 94979)
Submission02/16/2026 15:23 (2 months ago)
Moderation03/07/2026 09:56 (19 days later)
StatusAccepted
VulDB entry349649 [Wavlink NU516U1 251208 /cgi-bin/login.cgi sub_401A10 ipaddr out-of-bounds write]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!