CVE-2023-43138 - TPLINK TL-ER512G Command Injection Vulnerability in NAPT Rules

TPLINK TL-ER512G (v4.) with firmware version 2.. Build 210817 Rel.80868n is vulnerable to a command injection vulnerability. An attacker can exploit this vulnerability to execute arbitrary system commands on the device by creating malicious NAPT (Network Address and Port Translation) rules after authenticating to the router's management interface. This vulnerability has been assigned the identifier CVE-2023-43138.

Exploit Details

The CVE-2023-43138 vulnerability is present in the router's functionality to add NAPT rules. NAPT is a method of mapping IP addresses and port numbers from the private network to a public-facing interface with an IP address and port number.

When an authenticated user adds a new NAPT rule, they can specify a rule name. This name field is mishandled and not properly sanitized, allowing for command injection.

To exploit this vulnerability, an attacker must authenticate to the router's web-based management interface either by retrieving login credentials or by exploiting another vulnerability that allows bypassing the authentication mechanism. The attacker then crafts a malicious rule name for the NAPT rule. The injected commands are executed with root privileges on the router, allowing the attacker full control over the device.

Here's a code snippet demonstrating the command injection vulnerability

POST /cgi-bin/web-html.cgi HTTP/1.1
Host: TPLINK_ROUTER_IP
Content-Type: application/x-www-form-urlencoded
Content-Length: ...

reqIDL=69&reqActN=addNaptRules&reqSubmI=1&lwHttps=&rule_name=$(INJECTED_COMMAND_HERE)&src_ip=192.168..&src_mask=255.255.255.&do_schedule=&schedule_name=&int_port=80&pub_port=808&descriptor=&dst_ip=192.168..1&remote_ip=ANY&protocol=TCP&statE=enabled

Replace $(INJECTED_COMMAND_HERE) with the desired command to execute, wrapped in command substitution syntax.

Original References

This vulnerability was discovered by an independent security researcher and subsequently reported to TPLINK. The company acknowledged the issue and is working on a patch to address this vulnerability. The details of the vulnerability, along with a proof-of-concept exploit, can be found in the following original references:

Mitigation and Recommendations

As of now, there is no official patch available for this vulnerability. Users of TPLINK TL-ER512G routers with firmware version 2.. Build 210817 Rel.80868n are advised to take the following precautions until a patch is available:

Conclusion

CVE-2023-43138 is a critical command injection vulnerability affecting TPLINK TL-ER512G routers with specific firmware. It allows an authenticated attacker to execute arbitrary system commands on the device by crafting malicious NAPT rules. Users should implement the recommended mitigation strategies until an official patch is available.

Timeline

Published on: 09/20/2023 20:15:12 UTC
Last modified on: 09/22/2023 02:12:01 UTC