An important security flaw has been discovered in TP-Link VN020-F3v(T) routers running firmware version TT_V6.2.1021. Remote attackers could potentially gain control of the devices, leading to DoS attacks or even RCE attacks.

The vulnerability, known as CVE-2024-11237, enables attackers to exploit a stack-based buffer overflow by sending carefully crafted DHCP DISCOVER packets, causing the router to crash and become unresponsive.

Confirmed reports of similar vulnerabilities in versions used by customers in Algeria and Morocco highlight the responsibility of Tunisie Telecom and Topnet ISPs in deploying the affected routers.

Due to the proprietary nature of the firmware, accessibility to internal implementation details is restricted. Nevertheless, security researchers have been able to discern the impact of the vulnerability through observed behavior and black-box testing.

Technical Analysis of the Vulnerability

Identified as CVE-2024-11237, this vulnerability involves a stack-based buffer overflow (CWE-121) that is exploitable remotely via a DHCP DISCOVER packet.

The vulnerability affects the DHCP server functioning on UDP port 67 and does not demand authentication for exploitation. It results in a confirmed Denial of Service (DoS) and holds the potential for Remote Code Execution (RCE). The attack’s complexity is low, making it an attractive target for attackers aiming to disrupt or gain control of impacted systems.

The flaw originates from the router’s mishandling of DHCP Hostname and Vendor-Specific options, leading to buffer overflow due to improper processing of oversized or malformed inputs.

Specially crafted DHCP DISCOVER packets containing excessively long hostnames or manipulated vendor-specific options can directly trigger the overflow.

Several potential attack vectors and methods for triggering the overflow have been identified by researchers.

Through various techniques, attackers can exploit vulnerabilities in a router’s DHCP processing. For instance, sending a DHCP request with a hostname exceeding 127 characters can result in a buffer overflow, potentially causing the device to crash.

Another approach involves manipulating vendor-specific options within the DHCP packet to disrupt the router’s operation by creating a mismatch between the claimed and actual length of option data.

Exploiting discrepancies between claimed and actual packet lengths can lead to memory corruption, further destabilizing the device. These methods underscore the risks associated with unpatched DHCP processing vulnerabilities in the PoC.

Potential Memory Corruption

Although internal firmware code remains inaccessible, observed symptoms suggest possible memory corruption in the router during an attack, resulting in a stack overflow.

Stack Layout (Normal Case)
+------------------------+ Higher addresses
|     Previous Frame     |
+------------------------+
|   Return Address (4)   |
+------------------------+
|    Saved EBP (4)       |
+------------------------+
|                        |
|   Hostname Buffer      |
|      (64 bytes)        |
|                        |
+------------------------+ Lower addresses
|    Other Variables     |
+------------------------+

This could enable attackers to overwrite critical memory locations, including the router’s return address, potentially causing instability or facilitating remote code execution.

Stack Layout (Overflow Case)
+------------------------+ Higher addresses
|     Previous Frame     |
+------------------------+
|   Overwritten Return   | 
+------------------------+
|   Overwritten EBP      | <- Unknown state corruption
+------------------------+
|     Overflow Data      | <- 127 bytes of 'A'
|         ...            |
+------------------------+ Lower addresses
|    Other Variables     | <- Potentially corrupted
+------------------------+

Exploitation of these vulnerabilities can have significant repercussions on network functionality. Following compromise, the router may become unresponsive, leading to a total loss of internet connectivity.

Devices relying on the router’s DHCP service to obtain IP addresses may encounter connection failures, exacerbating the disruption.

Despite the router’s attempt to restart automatically post-crash, manual intervention may be necessary to restore functionality, potentially causing prolonged network downtime, particularly in environments with multiple devices depending on the DHCP service.

Mitigation and Recommendations

TP-Link has not issued an official patch to address this vulnerability yet. In the meantime, users are encouraged to adopt the following mitigation strategies to reduce the risk of exploitation:

  • Deactivate DHCP Server: If the DHCP service is unnecessary, disabling it in the router settings can prevent attacks.
  • Enforce DHCP Traffic Filtering: Network administrators can implement DHCP traffic filtering at the network perimeter to block malicious packets.
  • Explore Alternative Router Options: If feasible, consider transitioning to router models unaffected by this vulnerability.

The post DHCP Vulnerability in TP-Link Lets Attackers Takeover Routers Remotely – PoC Released appeared first on Cyber Security News.