From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

TL-R600VPN owners, grab and install firmware fixes now


Bug-hunters have this week disclosed details of four security vulnerabilities in a family of TP-Link 1GbE VPN routers.

The flaws were found by Jared Rittle and Carl Hurd of Cisco's Talos Intelligence, and all four are classic security goofs. They are as follows: one denial-of-service weakness, and one file-leaking hole, each due to input sanitisation mistakes, and two remote code execution (RCE) holes, both down to parsing blunders.

In terms of seriousness, the RCEs can only be exploited within an authenticated session: only a malicious logged-in user, or malware with the right credentials, can leverage the holes. On the other hand, the bugs lie within the firmware's HTTP server, which is used to provide a web-based configuration portal, which runs as root. Thus if you can exploit the RCEs to hijack the web server, you can fully take over the MIPS Linux-powered router as an administrator.

The other two bugs do not require any authentication to exploit. All four require the attacker to be able to connect to the management portal: this is typically available to anyone, or any malware or software, on the network, although it can be exposed to the public internet. This remote management feature is not enabled by default.

The affected devices are TP-Link TL-R600VPN systems, hardware versions 2 and 3, and firmware updates are now available to close the holes.

Seek help, literally

Talos described CVE-2018-3948, the denial-of-service bug, as a cock-up in how the routers' built-in HTTP server parses URLs. It can be exploited by anyone able to connect to the management portal, logged in or not.

If an attacker attempts a directory traversal via a settings vulnerable page, such as its documentation, and the requested object is a directory instead of a file, “the web server will enter an infinite loop, making the management portal unavailable,” we're told. An example malicious URL is below:

GET /help/../../../../../../../../../../../../../../../../etc HTTP/1.1

CVE-2018-3949, the information disclosure vulnerability, would let a miscreant – again, logged in or not, they just need to connect to the portal – read system files using a well-crafted directory traversal URL. “If a standard directory traversal is used with a base page of 'help' the traversal does not require authentication and can read any file on the system”, Talos' disclosure noted.

Presumably, someone on the network, or any miscreant that can reach the management portal, can use this to rummage around the system for passwords to potentially crack and use in other attacks, or lift VPN settings.

Code execution

The first of the RCE vulnerabilities is CVE-2018-3950, a bug in the ping and traceroute feature – the routers failed to check the size of data passed in the ping_addr field in the web page controlling the functionality. A single authenticated HTTP request can therefore trigger a stack overrun by cramming too much data into the ping_addr parameter, and gain control of the router's processor and software.

Last on the list is CVE-2018-3951, a bug in the header-parsing function of the routers' HTTP server.

It is possible to fire off a longer-than-expected GET HTTP request to the web server, overflowing a buffer. The request can contain executable instructions and other data, and control the flow of the processor by overwriting a return address. This therefore allows a malicious logged-in user, or malware with the necessary credentials, to hijack the device, install spyware, and so on. The vulnerability lies within the processing of pages in the devices' /fs/ directory.

In a perfect world, an RCE exploitable only from authenticated sessions would not be too bad – except that too many users leave default credentials in place. In that scenario, an RCE would provide an ideal path for devices to be recruited into a botnet.

TP-Link has released firmware updates with fixes, Talos said. Download the new code from the manufacturer's site, and install via the management portal. ®

Similar topics

Broader topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022