| Title | yealink T46U 108.86.0.118 Stack-based Buffer Overflow |
|---|
| Description | Yealink T46U phone firmware `x.x.x.x` contains an off-by-one stack write vulnerability in the Web FastCGI service `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/inner/bttest
```
The endpoint is handled by `mod_webd.BlueToothTest()`. For the `connect` and `disconnect` actions, the handler parses JSON fields including `btMac`, `pin`, and `reserved`, truncates them, and copies them into fixed offsets inside a 256-byte stack buffer. A 127-byte `reserved` value causes the terminating NUL byte from `strcpy()` to be written one byte past the end of the stack buffer.
poc
POST /api/inner/bttest?p=Setting&t=<timestamp>&action=connect HTTP/1.1
Host: <target>
Cookie: JSESSIONID=<valid-session>
X-Csrftoken: <valid-token>
Content-Type: application/json;charset=UTF-8
{"btMac":"00:11:22:33:44:55","pin":"0000","reserved":"<127 bytes>"}
|
|---|
| Source | ⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_webd_BlueToothTest_off_by_one.zip |
|---|
| User | ChiChen241 (UID 98424) |
|---|
| Submission | 05/21/2026 04:56 (25 days ago) |
|---|
| Moderation | 06/14/2026 15:54 (24 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370865 [Yealink SIP-T46U 108.86.0.118 Web FastCGI Service /api/inner/bttest mod_webd.BlueToothTest btMac/pin/reserved stack-based overflow] |
|---|
| Points | 20 |
|---|