DHCP Vulnerability in TP-Link Lets Attackers Takeover Routers Remotely – PoC Released
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
DHCP Vulnerability in TP-Link Lets Attackers Takeover Routers Remotely – PoC Released
Author: Balaji NA critical security vulnerability has been found in TP-Link VN020-F3v(T) routers with firmware version TT_V6.2.1021 Attackers could take over the devices remotely, leading to DoS attacks or even RCE attacks.
The vulnerability, cataloged as CVE-2024-11237 , allows attackers to exploit a stack-based buffer overflow by sending specially crafted DHCP DISCOVER packets, which can cause the router to crash and become unresponsive.
With additional confirmed reports of comparable vulnerabilities in versions used by Algerian and Moroccan customers, Tunisie Telecom and Topnet ISPs are primarily responsible for deploying the affected routers.
The firmware in question is proprietary, limiting the availability of internal implementation details. However, through observed behavior and black-box testing, security researchers have been able to identify the vulnerability’s impact.
Technical Analysis of the Vulnerability
The vulnerability, identified as CVE-2024-11237, is a stack-based buffer overflow (CWE-121) that can be exploited remotely via a DHCP DISCOVER packet.
It affects the DHCP server operating on UDP port 67 and does not require authentication for exploitation. The impact of this vulnerability includes a confirmed Denial of Service (DoS), with the potential for Remote Code Execution (RCE). The attack complexity is low, making it an accessible target for attackers seeking to disrupt or gain control of affected systems.
The vulnerability stems from a flaw in the way the router processes DHCP Hostname and Vendor-Specific options. Specifically, the router fails to handle oversized or malformed inputs properly, leading to buffer overflow conditions.
In particular, attackers can send a specially crafted DHCP DISCOVER packet containing an excessively long hostname or manipulated vendor-specific options, directly triggering the overflow.
Researchers have identified several potential attack vectors and methods for triggering the overflow.
Attackers can exploit vulnerabilities in a router’s DHCP processing through various techniques. One method involves sending a DHCP request with an excessively long hostname, exceeding 127 characters, which can lead to a buffer overflow. This overflow may overwrite critical memory locations, potentially causing the device to crash.
Another technique targets the manipulation of vendor-specific options within the DHCP packet. By carefully crafting these options and creating a mismatch between the claimed and actual length of the option data, attackers can exploit the vulnerability to disrupt the router’s operation.
Additionally, discrepancies between the claimed and actual packet lengths can be exploited, leading to memory corruption and further destabilizing the device. These methods highlight the potential risks of unpatched vulnerabilities in DHCP processing at the PoC.
Potential Memory Corruption
Although the internal firmware code remains inaccessible, the observed symptoms suggest that the router’s memory may become corrupted during an attack, leading to a stack overflow .
Stack Layout (Normal Case) +------------------------+ Higher addresses | Previous Frame | +------------------------+ | Return Address (4) | +------------------------+ | Saved EBP (4) | +------------------------+ | | | Hostname Buffer | | (64 bytes) | | | +------------------------+ Lower addresses | Other Variables | +------------------------+
This could potentially allow attackers to overwrite the router’s return address and other key memory locations, causing instability or even enabling remote code execution.
Stack Layout (Overflow Case) +------------------------+ Higher addresses | Previous Frame | +------------------------+ | Overwritten Return | +------------------------+ | Overwritten EBP |
#Cyber_Attack #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте: