Vulnerabilities discovered by Carl Hurd and Jared Rittle of Cisco Talos.

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

Overview

There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.

All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.

An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated.

CVE: CVE-2018-3948

A full technical advisory is available here.

An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system.

CVE: CVE-2018-3949

A full technical advisory is available here.

An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.

CVE: CVE-2018-3950

A full technical advisory is available here.

An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request. An attacker needs to be authenticated to be able to trigger this vulnerability.

CVE: CVE-2018-3951

A full technical advisory is available here.

Discussion

Over the past year, Talos has disclosed various vulnerabilities in internet-of-things (IoT) devices and SOHO routers. These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows. Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges.

Coverage

The following Snort IDs have been released to detect these vulnerabilities: