Gửi #752016: Wavlink NU516U1 V251208 Stack-based Buffer Overflowthông tin

tiêu đềWavlink NU516U1 V251208 Stack-based Buffer Overflow
Mô tả# Wavlink NU516U1 (V251208) nas.cgi Component sub_401218 Function Stack Buffer Overflow via "User1Passwd" Parameter ### Overview - **Vendor**: Wavlink - **Product**: NU516U1 - **Version**: WAVLINK-NU516U1-A-WO-20251208-BYFM - **Type**: Stack Buffer Overflow - **Product Use**: USB Printer Server - **Firmware Download**: https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=all - **Default Password**: admin ### Vulnerability Information - **Vulnerable Function**: `sub_401218` (NAS settings processing) and its helper function `sub_4051B0` (character escaping) - **Vulnerability Point**: `strcat(a2, v7)` within function `sub_4051B0` - **Trigger Parameter**: `User1Passwd` (corresponds to `v5` -> `v11` in code) - **Prerequisites**: - Attacker must possess a valid login Session (Cookie). - Request parameter `enable_storage_management` must be set to `1` to enter the vulnerable code branch. ### Vulnerability Description While processing NAS (Storage Management) configuration requests, the `sub_401218` function retrieves the `User1Passwd` parameter submitted by the user. This parameter is subsequently passed to the helper function `sub_4051B0` for escaping, intended to store the result in a fixed-size stack buffer `v11` (128 bytes in size). The root cause of this vulnerability is identical to the previously discovered OTA upgrade vulnerability: the helper function `sub_4051B0` forcibly prepends a backslash `\` to every character during string processing (e.g., `A` becomes `\A`), causing the data length to **expand by a factor of 2**. Because `strcat` appends the expanded data to the target buffer `v11` without any boundary checks, an attacker providing a password exceeding 64 bytes can easily overflow the 128-byte stack space. The overflow data overwrites local variables and the return address (`$ra`) on the stack, allowing for a hijack of the execution flow to an attacker-controlled address upon function return. Details:https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/nas.cgi_User1Passwd.md
Nguồn⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/nas.cgi_User1Passwd.md
Người dùng
 haimianbaobao (UID 94979)
Đệ trình04/02/2026 15:23 (cách đây 3 các tháng)
Kiểm duyệt15/02/2026 20:40 (11 days later)
Trạng tháiđược chấp nhận
Mục VulDB346174 [Wavlink WL-NU516U1 20251208 /cgi-bin/nas.cgi sub_401218 User1Passwd tràn bộ đệm]
điểm20

TrướcTổng QuanTiếp theo

Interested in the pricing of exploits?

See the underground prices here!