Two models of TP-Link’s budget routers are vulnerable to zero-day flaws that allow attackers to take control of both. The routers in question are models TP-Link WR940N and TL-WR941ND, according IBM Security that found the bugs and posted a technical analysis on its discoveries on Monday.
“In the case of these routers, we found a zero-day in the router could allow malicious third parties to take control of the device from a remote location,” wrote Grzegorz Wypych with IBM Research. According to TP-Link’s documentation on the routers, both models have been discontinued. However, an online search revealed both models available from retailers such as Target and Walmart.
As part of a larger IBM Security analysis on WLAN safety, Wypych examined both TP-Link router models and found that the vulnerabilities are tied to a web-based control panel users configure the devices with. “Controls that were placed on the owner’s interface cannot protect the actual router and could allow an attacker to take advantage of that fact,” Wypych wrote along with co-author of the report Limor Kessem.
They trace the bug to a web-based interface offering features such as a System Tools/Diagnostic tab. Here advanced users can send Internet Control Message Protocol (ICMP) echo requests/response packets via ping. Network devices use ICMP requests/responses to send error messages and operational information indicating if a requested service is not available or if a router can’t be reached.
“They can send packets either to an IPv4 address or to a hostname (on the targeted TP-Link router),” researchers wrote. “The panel’s security controls may limit character type and number, but nothing stops the user from intercepting requests with a Burp Suite (a graphical tool for testing web application security) proxy and malforming them.”
This is an opening an attacker can exploit. “When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary,” researcher said. Through a complex series of steps described in the post, researchers were able to create conditions ripe for a buffer overflow attack within the context of the router’s “Microprocessor without Interlocked Pipeline Stages” (MIPS) assembly language.
“We won’t go through a line-by-line analysis here… What’s interesting about it is the strcpy function call, which is the start of the TP-Link httpd process control, the vulnerable binary. What we have here is a classic buffer overflow issue,” researchers wrote.
Wypych and Kessem’s research into router vulnerabilities is ongoing. Both cited a study by The American Consumer Institute (PDF) that found 83 percent of routers have “high-risk” vulnerabilities.
“Most manufacturers outsource firmware that gets developed with costs in mind,” researchers said. “As such, it is rarely elaborate and, judging by the amount of router vulnerabilities out there, also rarely tested or secure. Making matters worse is the patch and update process: When was the last time you got a message prompting you to update your router’s firmware? Likely almost never.”
According to the TP-Link firmware update, patches became available March 12, 2019 for both. TL-WR940N router owners are encouraged to upgrade to firmware TL-WR940Nv3 and TL-WR941ND routers owners to TL-WR941NDv6 .