Wavlink NU516U1 Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Wavlink NU516U1 router, specifically in the latest firmware version 260227. The issue arises in the 'ftext' function of the '/cgi-bin/nas.cgi' component, where the program fails to properly validate the 'Content-Length' header in HTTP POST requests. This oversight allows attackers to send excessively long data that overflows the buffer, overwrites the return address, and hijacks the execution flow, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, allowing for the overwriting of the return address and hijacking of the execution flow, which can result in remote code execution.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/cgi-bin/nas.cgi' endpoint with a 'Content-Length' header value greater than 516 bytes. The request body must then be filled with enough data to overflow the buffer and overwrite the return address on the stack. This can be done using a variety of tools that allow for the manipulation of HTTP headers and request bodies, such as curl or Postman.