Wavlink NU516U1 Stack-Based Buffer Overflow Vulnerability in NAS CGI Component

A stack-based buffer overflow vulnerability has been identified in the Wavlink NU516U1 printer server, specifically in the NAS settings processing function of the CGI component. This vulnerability arises from improper handling of the 'User1Passwd' parameter, which is subjected to a character escaping routine that inadvertently doubles the data length. The expanded input exceeds the capacity of a fixed-size stack buffer, allowing for overwriting of critical execution control data, including the return address, and potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, where the expanded 'User1Passwd' input overwrites the return address on the stack. This manipulation can hijack the execution flow, directing it to an address controlled by the attacker, which could be used to execute arbitrary code.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/nas.cgi' with the 'enable_storage_management' parameter set to '1' and the 'User1Passwd' parameter containing a string longer than 64 bytes. The input will be expanded during processing, causing it to overflow the 128-byte stack buffer and overwrite the return address, leading to a crash and a '500 Internal Server Error' response.