TP-Link Routers Vulnerable to Zero-Day Buffer Overflow Attack

Consumer router models allowed authenticated users to take unrestricted remote control over TL-WR940N and TL-WR941ND routers.

Two models of TP-Link’s budget routers are vulnerable to zero-day flaws that allow attackers to take control of both. The routers in question are models TP-Link WR940N and TL-WR941ND, according IBM Security, which found the bugs and posted a technical analysis on its discoveries on Monday.

“In the case of these routers, we found a zero-day in the router could allow malicious third parties to take control of the device from a remote location,” wrote Grzegorz Wypych with IBM Research. According to TP-Link’s documentation on the routers, both models have been discontinued. However, an online search revealed both models are available from retailers such as Target and Walmart.

TL-WR940N router owners are encouraged to upgrade to firmware TL-WR940Nv3As part of a larger IBM Security analysis on WLAN safety, Wypych examined both TP-Link router models and found that the vulnerabilities are tied to a web-based control panel that users configure the devices with. “Controls that were placed on the owner’s interface cannot protect the actual router and could allow an attacker to take advantage of that fact,” Wypych wrote along with co-author of the report Limor Kessem.

They trace the bug to a web-based interface offering features such as a System Tools/Diagnostic tab. Here advanced users can send Internet Control Message Protocol (ICMP) echo requests/response packets via ping. Network devices use ICMP requests/responses to send error messages and operational information indicating if a requested service is not available or if a router can’t be reached.

“They can send packets either to an IPv4 address or to a hostname (on the targeted TP-Link router),” researchers wrote. “The panel’s security controls may limit character type and number, but nothing stops the user from intercepting requests with a Burp Suite (a graphical tool for testing web application security) proxy and malforming them.”

This is an opening an attacker can exploit. “When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary,” researcher said. Through a complex series of steps described in the post, researchers were able to create conditions ripe for a buffer overflow attack within the context of the router’s “Microprocessor without Interlocked Pipeline Stages” (MIPS) assembly language.

“We won’t go through a line-by-line analysis here… What’s interesting about it is the strcpy function call, which is the start of the TP-Link httpd process control, the vulnerable binary. What we have here is a classic buffer overflow issue,” researchers wrote.

Wypych and Kessem’s research into router vulnerabilities is ongoing. Both cited a study by The American Consumer Institute (PDF) that found 83 percent of routers have “high-risk” vulnerabilities.

“Most manufacturers outsource firmware that gets developed with costs in mind,” researchers said. “As such, it is rarely elaborate and, judging by the amount of router vulnerabilities out there, also rarely tested or secure. Making matters worse is the patch and update process: When was the last time you got a message prompting you to update your router’s firmware? Likely almost never.”

According to the TP-Link firmware update, patches became available March 12, 2019 for both. TL-WR940N router owners are encouraged to upgrade to firmware TL-WR940Nv3 and TL-WR941ND routers owners to TL-WR941NDv6.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles

Cisco Wireless LANs at Risk of ‘Skyjacking’ Attack

From C|Net (Elinor Mills)

Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.

Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all lightweight Cisco wireless access points, as well as the exploit that could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.  Read the full story []