| 标题 | WAVLINK NU516U1 M16U1_V260515 OS Command Injection |
|---|
| 描述 | CSRF Authentication Bypass Chained with Stored Command Injection (RCE) in WAVLINK NU516U1 Router Firmware WO-A-2026-05-15-708c073 (MT7628 / MIPS 24KEc, lighttpd).
Two-stage stored command injection in adm.cgi: Step 1 (page=lan) stores user-supplied `lan_ip` into UCI winstar.system.lan_ipaddr via wlink_uci_set_value() without sanitization. Step 2 (page=openDHCP) reads the persisted value from UCI, concatenates it into an `ifconfig br-lan %s` command via sprintf(), and executes it through system() — shell metacharacter `;` enables arbitrary command execution. The payload persists in /etc/config/winstar between requests.
All three CSRF defenses are defeated, enabling full remote exploitation via a single malicious webpage:
1) No SameSite Attribute — login.cgi's make_cookie_string() @ 0x405728 sets `Set-Cookie: session=%s; Path=/` without SameSite=Strict, so cross-site <form> POST top-level navigations carry the session cookie. check_valid_user() @ 0x40A4CC validates the session by matching HTTP_COOKIE against /tmp/loginuser, so any logged-in admin visiting a malicious page automatically passes authentication.
2) No CSRF Tokens — adm.cgi main() @ 0x400FD0 dispatches to 20+ page handlers (lan, openDHCP, set_sys_adm, reboot, loaddefault, auto_upgrade, etc.) without requiring any anti-CSRF token in the POST body.
3) Bypassable Referer Check — check_csrf_referer() @ 0x40B394 validates HTTP_REFERER via strstr() sub-string matching against LAN/WAN IPs and user-configured domain names. strstr() performs only substring matching without URL parsing, so hosting the malicious page on a domain containing the router's LAN IP (e.g., 192.168.10.1.evil.com) satisfies the check: strstr("http://192.168.10.1.evil.com/", "192.168.10.1") returns a match.
Verified via static binary analysis (IDA Pro / MIPS decompilation) and dynamic testing on EMUX-emulated firmware with pwndbg. PoC HTML page provided. Input validation bypass, shell metacharacter injection, and authentication bypass are all demonstrated with code-level evidence. |
|---|
| 来源 | ⚠️ https://github.com/0xcc12138/wavlink-nu516u1-csrf-command-injection- |
|---|
| 用户 | 0xcc12138 (UID 97530) |
|---|
| 提交 | 2026-06-04 09時15分 (1 月前) |
|---|
| 管理 | 2026-07-12 08時26分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 377842 [Wavlink WL-NU516U1 260515 /cgi-bin/adm.cgi wlink_uci_set_value lan_ip 权限提升] |
|---|
| 积分 | 20 |
|---|