A critical buffer overflow vulnerability, identified as CVE-2024-54887, has been discovered in TP-Link TL-WR940N routers, specifically affecting hardware versions 3 and 4 with firmware version 3.16.9 and earlier. 

This flaw allows authenticated attackers to execute arbitrary code remotely, posing a significant security risk to users.

The root cause appears to be a buffer overflow in the router’s web interface, specifically in the handling of DNS server parameters for IPv6 tunneling.

Overview of the TP-Link Router Buffer Overflow Vulnerability

According to Joward Bince, a security researcher, the vulnerability stems from improper input validation in the router’s httpd daemon. Two parameters, dnsserver1 and dnsserver2, used for configuring IPv6 DNS servers, are not properly length-checked before being copied into a fixed-size buffer.

This flaw allows an attacker to overflow the buffer and potentially overwrite critical memory areas, including the return address on the stack.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Researchers used the Firmadyne framework to emulate the router’s firmware for analysis. By mounting the filesystem and examining the httpd binary in Ghidra, they discovered that the device lacks both NX (No-Execute) and PIE (Position Independent Executable) protections, making exploitation easier.

The vulnerable function was identified by correlating web requests with backend functions. Unsafe C function calls like strcpy() were key indicators. 

It was found that while some string length validations were in place, the dnsserver1 and dnsserver2 parameters were left unchecked.

Proof-of-Concept Exploit

A proof-of-concept exploit was developed using Python. The exploit chain involves:

• Triggering the buffer overflow
• Overwriting the return address and other registers
• Using ROP (Return-Oriented Programming) gadgets to control execution flow
• Injecting and executing shellcode

The impact of this vulnerability is severe, as it allows an authenticated attacker to execute arbitrary code with root privileges. Potential malicious actions include:

• Installing persistent backdoors
• Intercepting network traffic
• Using the router as part of a botnet
• Modifying DNS settings for phishing attacks

TP-Link has confirmed that hardware versions 3 and 4 of the TL-WR940N have reached end-of-life status and will not receive further security updates. Users of these models are strongly advised to upgrade to newer, supported router models with current security features.

It is advised that users who are unable to upgrade right away disable remote administration, use strong passwords, apply any firmware upgrades that are available, and keep an eye out for any unusual network activity.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar