TP-Link Routers At Risk of Remote Hijack

Pizza Guy
Pizza Guy
May 26, 2019 · 4 min read

Last week, TP-Link released a security update for the WR740N router. The patch resolves buffer overflow vulnerabilities that can be exploited to achieve remote code execution on the router. What is most concerning about this situation is that the vulnerabilities were discovered over one year ago. Furthermore, an exploit has been publicly available in the meantime.

Why is it important?

This news is important as a leading router company left a reported vulnerabilities leading to remote code execution in their firmware. The vulnerabilities were first discovered and disclosed by Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, in October 2017 [1]. Mabbitt identified the vulnerability in the WR940N router, upon which TP-Link promptly released a patch. However, the WR740N router was found to contain the same vulnerabilities, as a consequence of code reuse between the two routers [2]. Mabbitt notified TP-Link of the remaining vulnerabilities in January 2018 [1]. Despite being notified, TP-Link took 14 months to publicly release a patch.

TP-Link compromised their customers’ security and privacy in an act of negligence. It is important that steps are taken to avoid such an event in the future.

Who is affected?

The vulnerabilities should concern users of the WR740N router. Online databases suggest that there are over 100000 of these devices connected to the internet [1]. Prior to the May 2019 patch release, TP-Link stated that the patch was available to anyone who contacted the company’s tech support [1]. Consequently, any users that have not installed the May 2019 patch, or have not explicitly requested the patch from tech support, are affected.

Note that TP-Link claims that the WR740N had been discontinued in 2017, meaning that number of affected users cannot significantly increase [1].

What impact might it have on people?

The exploit allows attackers to gain complete control over the router [1]. Consequently, the vulnerabilities compromises all three aspects of security.

Confidentiality is affected as attackers could read packets being sent to and from the router. If the packets contain unencrypted data, an attacker would have access to someone’s data and personal information.

Integrity is compromised as unauthorized modification could be made to router settings. Attackers could modify DNS settings to make users visit fake website that looks and appears like a real one [1]. Here, compromising integrity also leads to compromising confidentiality, as users may input login credentials to the fake site.

Finally, Availability may be affected as attackers could take down a router and cut users off from the internet. Similarly, multiple routers could also be commandeered to launch a Distributed Denial-of-Service (DDoS) attack and compromise the availability of other systems.

Image for post
Image for post
Tp-Link Logos

What were the causes?

The WR740N router firmware contained multiple buffer overflow vulnerabilities due to multiple uses of strcpy on unsanitized user input [2]. The vulnerabilities were present in the httpd binary installed on the router, responsible for handling HTTP requests [3].

The publicly released exploit makes a GET request to the router with a particular set of parameters. The parameters provided in the request are passed directly to a call to strcpy [3]. No validation is performed on the parameters, allowing an attacker to make them arbitrarily long. Hence, the exploit overwrites a return address to make it point to shellcode placed on the stack. The shellcode opens a bind shell in which any code can be run.

Note that the request can only be made if the attacker is logged in to the router. However, many router users never change the default password, and the exploit works by using the default username and password “admin” [3].

Finally, a lack of public response from TP-Link prolonged the lifetime of the exploit.

Hence the three contributing factors to the exploit were the buffer overflow vulnerabilities, a lack of secure usernames and passwords on given routers, and negligence on the part of TP-Link.

How might similar problems be prevented in the future?

Code review and penetration testing are two actions that could have been taken to prevent the vulnerabilities from being present in the firmware. Developers should thoroughly review their own code and other’s code before it is released. Buffer overflow vulnerabilities caused by strcpy are not a new problem and developers must take it upon themselves to learn about common vulnerabilities. Developers should always check and sanitize user inputs, and prefer strncpy over strcpy, as it forces developers to consider the length of the input string. Furthermore, had TP-Link tested the code more throughly, the issue could have been caught much earlier.

However, users of software and hardware must also be responsible for the passwords they use. The widespread use of default passwords, enabled a simple exploit of the vulnerabilities present. Users should be educated about password security and should be encouraged to change default passwords and use more complex passwords in general. Another option is for companies such as TP-Link, to introduce more complex, random, default passwords per device. This would assist in guarding against user negligence. In fact, California and the United Kingdom are introducing legislation that would force companies to sell devices with unique default passwords [1].

Finally, TP-Link should have made the WR740N patches public rather than requiring their customers to call in to tech support. Better communication could have reduced the number of users affected by the vulnerability. Should new legislation be introduced to penalize companies that comprise user security and privacy through acts of negligence? To what extent should legislation be responsible for controlling modern security issues?

— — — — — — — — -

References

[1] TechCrunch. Thousands of vulnerable TP-Link routers at risk of remote hijack.

https://techcrunch.com/2019/05/22/tp-link-routers-vulnerable-remote-hijack/

[2] Fidus Information Security. TPLINK TLWR740N ROUTER REMOTE CODE EXECUTION.

https://fidusinfosec.com/a-curious-case-of-code-reuse-tplink-cve-2017-13772-v2/

[3] Fidus Information Security. REMOTE CODE EXECUTION (CVE-2017–13772) WALKTHROUGH ON A TP-LINK ROUTER.

https://fidusinfosec.com/tp-link-remote-code-execution-cve-2017-13772/

Author: Aditya Keerthi

PwnPizza

Cyber Security, ML, Networks & Systems Research Blog www.pwn

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store