| 标题 | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| 描述 | # Wavlink NU516U1 (V251208) nas.cgi Component sub_401218 Function Stack Buffer Overflow via "User1Passwd" Parameter
### Overview
- **Vendor**: Wavlink
- **Product**: NU516U1
- **Version**: WAVLINK-NU516U1-A-WO-20251208-BYFM
- **Type**: Stack Buffer Overflow
- **Product Use**: USB Printer Server
- **Firmware Download**: https://docs.wavlink.xyz/Firmware/?category=USB+Printer+Server&model=all
- **Default Password**: admin
### Vulnerability Information
- **Vulnerable Function**: `sub_401218` (NAS settings processing) and its helper function `sub_4051B0` (character escaping)
- **Vulnerability Point**: `strcat(a2, v7)` within function `sub_4051B0`
- **Trigger Parameter**: `User1Passwd` (corresponds to `v5` -> `v11` in code)
- **Prerequisites**:
- Attacker must possess a valid login Session (Cookie).
- Request parameter `enable_storage_management` must be set to `1` to enter the vulnerable code branch.
### Vulnerability Description
While processing NAS (Storage Management) configuration requests, the `sub_401218` function retrieves the `User1Passwd` parameter submitted by the user. This parameter is subsequently passed to the helper function `sub_4051B0` for escaping, intended to store the result in a fixed-size stack buffer `v11` (128 bytes in size).
The root cause of this vulnerability is identical to the previously discovered OTA upgrade vulnerability: the helper function `sub_4051B0` forcibly prepends a backslash `\` to every character during string processing (e.g., `A` becomes `\A`), causing the data length to **expand by a factor of 2**. Because `strcat` appends the expanded data to the target buffer `v11` without any boundary checks, an attacker providing a password exceeding 64 bytes can easily overflow the 128-byte stack space. The overflow data overwrites local variables and the return address (`$ra`) on the stack, allowing for a hijack of the execution flow to an attacker-controlled address upon function return.
Details:https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/nas.cgi_User1Passwd.md |
|---|
| 来源 | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/nas.cgi_User1Passwd.md |
|---|
| 用户 | haimianbaobao (UID 94979) |
|---|
| 提交 | 2026-02-04 15時23分 (3 月前) |
|---|
| 管理 | 2026-02-15 20時40分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 346174 [Wavlink WL-NU516U1 20251208 /cgi-bin/nas.cgi sub_401218 User1Passwd 内存损坏] |
|---|
| 积分 | 20 |
|---|