Researcher Disclose Multiple Vulnerabilities on TP-Link Router including RCE

A researcher from Cisco Talos, have disclosed multiple vulnerabilities on TP-Link Router in a different version of the device. The vulnerability also includes a couple of Remote Code Execution bug and other DDoS, information disclosure etc..

All the bug have been found by Jared Rittle of Cisco Talos, where he mentioned that the root cause of the bugs are a lack of input sanitisation (TALOS-2018-0617/18) and parsing errors (TALOS-2018-0619/20). The lack of input sanitisation bug leads to the vulnerabilities that can be exploited without authentication and other prasing error bugs olny exploited with an authenticated session.

All vulnerabilities were found on HWv3 FRNv1.3.0, HWv2 FRNv1.2.3,  and HWv3 FRNv1.3.0.

TALOS-2018-0617 — TP-Link TL-R600VPN HTTP denial of service

This bug identified with the CVE-2018-3948 which is exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated.

You can check the full technical details of the bug from Here.

TALOS-2018-0618 — TP-Link TL-R600VPN HTTP server information disclosure

This bug has been assigned with the CVE-2018-3949 which is an exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system.

Full technical details of the bug is here.

TALOS-2018-0619 — TP-Link TL-R600VPN HTTP server ping address remote code execution


This is authenticated bug which has been assigned with CVE-2018-3950. This bug resides in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server where router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server.
A full technical advisory is available here.

TALOS-2018-0620 — TP-Link TL-R600VPN HTTP server fs directory remote code execution


This is another authenticate Remote Code Execution bug having CVE-2018-3951, which resides in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request.
Read full technical details of the bug here.

All the above vulnerabilties have been fixed and patch were released. So we recommend all affected users to update firmware verion of  your Router.
With ❤️ Cyber Kendra