From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs
TL-R600VPN owners, grab and install firmware fixes now
Bug-hunters have this week disclosed details of four security vulnerabilities in a family of TP-Link 1GbE VPN routers.
The flaws were found by Jared Rittle and Carl Hurd of Cisco's Talos Intelligence, and all four are classic security goofs. They are as follows: one denial-of-service weakness, and one file-leaking hole, each due to input sanitisation mistakes, and two remote code execution (RCE) holes, both down to parsing blunders.
In terms of seriousness, the RCEs can only be exploited within an authenticated session: only a malicious logged-in user, or malware with the right credentials, can leverage the holes. On the other hand, the bugs lie within the firmware's HTTP server, which is used to provide a web-based configuration portal, which runs as root. Thus if you can exploit the RCEs to hijack the web server, you can fully take over the MIPS Linux-powered router as an administrator.
The other two bugs do not require any authentication to exploit. All four require the attacker to be able to connect to the management portal: this is typically available to anyone, or any malware or software, on the network, although it can be exposed to the public internet. This remote management feature is not enabled by default.
The affected devices are TP-Link TL-R600VPN systems, hardware versions 2 and 3, and firmware updates are now available to close the holes.
Seek help, literally
Talos described CVE-2018-3948, the denial-of-service bug, as a cock-up in how the routers' built-in HTTP server parses URLs. It can be exploited by anyone able to connect to the management portal, logged in or not.
If an attacker attempts a directory traversal via a settings vulnerable page, such as its documentation, and the requested object is a directory instead of a file, “the web server will enter an infinite loop, making the management portal unavailable,” we're told. An example malicious URL is below:
GET /help/../../../../../../../../../../../../../../../../etc HTTP/1.1
CVE-2018-3949, the information disclosure vulnerability, would let a miscreant – again, logged in or not, they just need to connect to the portal – read system files using a well-crafted directory traversal URL. “If a standard directory traversal is used with a base page of 'help' the traversal does not require authentication and can read any file on the system”, Talos' disclosure noted.
Presumably, someone on the network, or any miscreant that can reach the management portal, can use this to rummage around the system for passwords to potentially crack and use in other attacks, or lift VPN settings.
The first of the RCE vulnerabilities is CVE-2018-3950, a bug in the ping and traceroute feature – the routers failed to check the size of data passed in the
ping_addr field in the web page controlling the functionality. A single authenticated HTTP request can therefore trigger a stack overrun by cramming too much data into the
ping_addr parameter, and gain control of the router's processor and software.
Last on the list is CVE-2018-3951, a bug in the header-parsing function of the routers' HTTP server.
It is possible to fire off a longer-than-expected GET HTTP request to the web server, overflowing a buffer. The request can contain executable instructions and other data, and control the flow of the processor by overwriting a return address. This therefore allows a malicious logged-in user, or malware with the necessary credentials, to hijack the device, install spyware, and so on. The vulnerability lies within the processing of pages in the devices' /fs/ directory.
In a perfect world, an RCE exploitable only from authenticated sessions would not be too bad – except that too many users leave default credentials in place. In that scenario, an RCE would provide an ideal path for devices to be recruited into a botnet.
TP-Link has released firmware updates with fixes, Talos said. Download the new code from the manufacturer's site, and install via the management portal. ®