We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the function do_sta_enrollee_wifi of the file /www/cgi/ssi, the value of wps_sta_enrollee_pin is directly copied to stack buffer v10 without size check.

We check the callsite of this function, and found there are 3 entries that will enter this vulnerable function. The 3 entries are set_sta_enrollee_pin_wifi2/ set_sta_enrollee_pin_wifi1/ set_sta_enrollee_pin_wifi0 of apply.cgi.

Similar to other vulnerabilities, an attacker can trigger this vulnerability by sending a very long string in the post data to apply.cgi, and finally can perform Remote Code Execution attack.

Fix Suggestion:

Use snprintf to perform avoid buffer overflow