Regístrese ahora para una mejor cotización personalizada!

Vulnerability Deep Dive: TP-Link TL-R600VPN remote code execution vulnerabilities

Jan, 15, 2019 Hi-network.com

Vulnerability discovery and research by Jared Rittle and Carl Hurd of Cisco Talos.

Introduction

TP-Link recently patched three vulnerabilities in their TL-R600VPN gigabit broadband VPN router, firmware version 1.3.0. Cisco Talos publicly disclosed these issues after working with TP-Link to ensure that a patch was available. Now that a fix is out there, we want to take the time to dive into the inner workings of these vulnerabilities and show the approach we took with our proof-of-concept code.

Background

The TP-Link TL-R600VPN is a five-port small office/home office (SOHO) router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. Except for a few proprietary instructions for handling unaligned load and store operations, these two instruction sets are essentially the same. The instructions that are not included in Lexra are LWL, SWL, LWR, and SWR. These proprietary instructions are often used when compiling a program for the more common MIPS-1 architecture and cause a segfault when encountered in Lexra. The knowledge of this key difference is imperative to assembling working code for the target.

For more information about Lexra MIPS and its differences with the MIPS-1 architecture, refer to

tag-icon Etiquetas calientes: Cisco Talos Talos vulnerability proof of concept exploitation Vulnerability Discovery deep dive tplink tp-link

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.