| 标题 | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| 描述 | # **Stack Buffer Overflow Vulnerability in Wavlink NU516U1 (V251208) adm.cgi Component via "firmware_url" Parameter in sub_406194 Function**
**Overview**
- **Vendor:** Wavlink
- **Product:** NU516U1
- **Version:** WAVLINK-NU516U1-A-WO-20251208-BYFM
- **Type:** Stack Buffer Overflow
- **Product Usage:** USB Printer Server
- **Firmware Download:** https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=all
- **Default Password:** admin
**Vulnerability Basic Information**
- **Vulnerable Function:** `sub_406194` (OTA upgrade handling) and its called helper function `sub_40CCA0` (character escaping).
- **Vulnerability Point:** `strcat(a2, v7)` within the `sub_40CCA0` function.
- **Trigger Parameter:** `firmware_url` (corresponds to `v11` -> `v18` in the code).
- **Prerequisites:**
- The attacker possesses a valid login Session (Cookie).
- The `brand`, `model`, and `md5` parameters in the request must contain valid characters to bypass the `sub_40CB5C` blacklist check.
**Vulnerability Description**
When handling OTA firmware upgrade requests, the `sub_406194` function retrieves the user-submitted `firmware_url` parameter and calls the helper function `sub_40CCA0` to process this URL, intending to store the result in a fixed-size buffer `v18` (size 260 bytes) allocated on the stack.
The core of the vulnerability lies in the logic flaw of the helper function `sub_40CCA0`: it iterates through the input string and forcibly adds a backslash `\` before every character for escaping (e.g., input `A` becomes `\A`), causing the data length to expand to twice its original size. Subsequently, the function uses `strcat` to append the expanded data to the target buffer without performing any target buffer boundary checks.
An attacker only needs to send a `firmware_url` exceeding 130 bytes (exceeding 260 bytes after expansion) to cause the `v18` buffer to overflow. The overflowed data will sequentially overwrite local variables on the stack, Saved Registers (s0-s7), and finally overwrite the function's return address (`$ra`). When the function attempts to return, the execution flow will be hijacked, leading to Remote Code Execution (RCE) or Denial of Service (DoS).
consult:https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/firmware_url.md
|
|---|
| 来源 | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/firmware_url.md |
|---|
| 用户 | haimianbaobao (UID 94979) |
|---|
| 提交 | 2026-02-04 10時06分 (3 月前) |
|---|
| 管理 | 2026-02-15 20時40分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 346173 [Wavlink WL-NU516U1 直到 130/260 /cgi-bin/adm.cgi sub_406194 firmware_url 内存损坏] |
|---|
| 积分 | 20 |
|---|