Use CVE-2023-24362
Vulnerability Disclosure
Vendor: TP-Link
Affected product(s):
TL-WR702N - Version: TL-WR702N_V1_151021_US
TL-WR720N - Version: TL-WR720N_V1_130719
Buffer Overflow DOS: Pinging functionality in the diagnostics tool
To exploit the vulnerability one must be authenticated on the web panel of the router. Then sending a maliciously crafted request, with the packet size parameter changed in an intercept tool to a large value.
The webpanel of the router has a diagnostics tool. The diagnostics tool only has size checks in the frontend. This means we can send crafted requests, with no size checks. Specifically changing the pSize parameter to a large value will lead to a full DOS of the router
Buffer Overflow RCE: The web panel of the router
Sending a crafted request, a malicious actor can get remote code execution on the router. This requires log-in through the web panel.
Sending a crafted HTTP request to the endpoint /userRpm/WlanNetworkRpm with the parameter newBridgessid, one can cause a buffer overflow, which can lead to remote code execution
This repository
In /pocs, the proof of concepts will be found.
In /dump-over-uart, the script used to dump the firmware over uart will be found.
In /firmware, the analyzed firmware will be found.
In /binary_ninja, general ease of life scripts will be found.
In /manuals, the primary manuals used for this research is located.