what you don't know can hurt you

TRENDnet Command Injection / Buffer Overflow / Cross Site Scripting

TRENDnet Command Injection / Buffer Overflow / Cross Site Scripting
Posted Dec 9, 2018
Authored by Mathias Payer, Hamed Okhravi, Prashast Srivastava, Howard Shrobe

TRENDnet devices suffer from buffer overflow, code execution, and cross site scripting vulnerabilities.

tags | advisory, overflow, vulnerability, code execution, xss
advisories | CVE-2018-19239, CVE-2018-19240, CVE-2018-19241, CVE-2018-19242
MD5 | 515ae13889d41a0f5bf739405ef16b9b

TRENDnet Command Injection / Buffer Overflow / Cross Site Scripting

Change Mirror Download
###########################################
Vulnerabilities found in TRENDnet devices

Authors:Prashast Srivastava, Mathias Payer
Howard Shrobe, Hamed Okhravi

Author contact: https://github.com/prashast/

###########################################

Multiple vulnerabilties including Command Injection, Buffer Overflow and
Reflective XSS vulnerabilties were found in the following TRENDnet devices:
Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP
IP-Cameras: TV-IP110WN, TV-IP121WN
These were found using our dynamic analysis tool for embedded devices.
The POC's will be made available upon the public
release of our tool. A more detailed breakdown is presented
below on a per vulnerability basis:-

Command Injection
------------------

CVE-ID: CVE-2018-19239
Product: TEW-673GRU
Module affected: `start_arpping` function in `timer` binary
Firmware version: v1.00b40

TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection
vulnerability in the `start_arpping` function of the
`timer binary`, which allows remote attackers to execute
arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and
lan_ipaddr)
passed to the apply.cgi binary through a POST request. Exploiting the
vulnerability
requires a user to be authenticated with the router with
administrative credentials.

The `start_arpping` function reads the following values from the NVRAM
namely: dhcpd_start,
dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then
passed to the
`arpping` utility without any sort of sanity checks.
Out of these values, the outward facing configuration webserver(httpd)
running at
`IP:192.168.10.1 Port: 80` allows a user to modify the first three
values `dhcpd_start`,
`dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration
webpage available at
`http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi`
binary with the
appropriate parameters.

We have observed that the by directly making a POST request to the
`apply.cgi` binary
with the values of the above mentioned three parameters containing
Command Injection
based payloads, it is possible to execute arbitrary commands on the
router with root
privileges.

Buffer Overflows
------------------

CVE-ID: CVE-2018-19240
Products:
- TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64)
- TV-IP121WN (V1.2.2 build 28)
Module affected: `network.cgi`

Buffer overflow can be exploited by using the `iptype` parameter
in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68,
V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows
attackers to hijack the control flow to any attacker-specified location by
crafting a POST request payload (without authentication)

x-----------x

CVE-ID: CVE-2018-19241
Products:
- TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64)
- TV-IP121WN (V1.2.2 build 28)
Module affected: `video.cgi`

A BoF vulnerability exists in the CGI binary which can modify the quality of
the video recorded on the camera. A sub-routine respondAsp is called that
copies a user-controlled parameter into a stack variable using strcpy
without any
bounds check. This makes the subroutine vulnerable to BoF and can be exploited
without authentication

x-----------x

Products:
- TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64)
- TV-IP121WN (V1.2.2 build 28)
Module affected: `watch.cgi`

A BoF vulnerability exists in the `watch.cgi` binary and how it handles
the `url` parameter. An attacker can deliver its payload using a POST request
in the `url` parameter to trigger the BoF vulnerability without authentication.

x-----------x

CVE-ID: CVE-2018-19242
Products:
- TEW-632BRP (1.010B32)
- TEW-673GRU (v1.00b40)
Module affected: `apply.cgi`


Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRU
devices allows attackers to hijack the control flow to any attacker-specified
location by crafting a POST request payload(with authentication).


Reflective XSS
---------------

Products:
- TEW-632BRP (1.010B32)
- TEW-673GRU (v1.00b40)
- TEW-634GRU (v1.01B14)

Module affected: `login.cgi`

`Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a
reflected XSS
vulnerability that does not require any authentication.

Vendor Disclosure
------------------

The vulnerabilities had been notified to the vendor 12/03.
The vendor replied on 12/05 that since the products had reached their
end-of-life no future development or firmware updates
would be provided for these devices.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    8 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close