Wavlink NU516U1 Stack Buffer Overflow Vulnerability in Login CGI Component

A stack buffer overflow vulnerability has been identified in the Wavlink NU516U1 router, specifically in the V251208 firmware. The issue resides in the login.cgi file, within the sub_401A10 function, which handles the sys_login1 interface. The vulnerability is triggered by manipulating the ipaddr parameter, allowing for an out-of-bounds write that could lead to a segmentation fault, causing a denial-of-service condition. Under certain circumstances, this vulnerability could be exploited to execute remote code.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the CGI process and leading to a denial-of-service condition. However, the vulnerability could potentially be exploited to achieve remote code execution under specific conditions.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/login.cgi endpoint. The request must include a valid session cookie and a password parameter that matches the MD5 hash of the default admin password. The ipaddr parameter should be populated with a string of legal characters, such as 'A', exceeding 106 bytes in length. This will bypass the input filter and cause the buffer overflow when the server processes the request.

Remediation

Users are advised to upgrade to the latest version of the Wavlink NU516U1 firmware, which is available on the Wavlink Firmware Download page.