###########################################
Vulnerabilities found in TRENDnet devices

Authors:Prashast Srivastava, Mathias Payer
        Howard Shrobe, Hamed Okhravi

Author contact: https://github.com/prashast/

###########################################

Multiple vulnerabilties including Command Injection, Buffer Overflow and
Reflective XSS vulnerabilties were found in the following TRENDnet devices:
Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP
IP-Cameras: TV-IP110WN, TV-IP121WN
These were found using our dynamic analysis tool for embedded devices.
The POC's will be made available upon the public
release of our tool. A more detailed breakdown is presented
below on a per vulnerability basis:-

Command Injection
------------------

CVE-ID: CVE-2018-19239
Product: TEW-673GRU
Module affected: `start_arpping` function in `timer` binary
Firmware version: v1.00b40

TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection
vulnerability in the `start_arpping` function of the
`timer binary`, which allows remote attackers to execute
arbitrary commands via three parameters  (dhcpd_start, dhcpd_end, and
lan_ipaddr)
passed to the apply.cgi binary through a POST request. Exploiting the
vulnerability
requires a user to be authenticated with the router with
administrative credentials.

The `start_arpping` function reads the following values from the NVRAM
namely: dhcpd_start,
dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then
passed to the
`arpping` utility without any sort of sanity checks.
Out of these values, the outward facing configuration webserver(httpd)
running at
`IP:192.168.10.1 Port: 80` allows a user to modify the first three
values `dhcpd_start`,
`dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration
webpage available at
`http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi`
binary with the
appropriate parameters.

We have observed that the by directly making a POST request to the
`apply.cgi` binary
with the values of the above mentioned three parameters containing
Command Injection
based payloads, it is possible to execute arbitrary commands on the
router with root
privileges.

Buffer Overflows
------------------

CVE-ID: CVE-2018-19240
Products:
- TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64)
- TV-IP121WN (V1.2.2 build 28)
Module affected: `network.cgi`

Buffer overflow can be exploited by using the `iptype` parameter
in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68,
V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows
attackers to hijack the control flow to any attacker-specified location by
crafting a POST request payload (without authentication)

x-----------x

CVE-ID: CVE-2018-19241
Products:
- TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64)
- TV-IP121WN (V1.2.2 build 28)
Module affected: `video.cgi`

A BoF vulnerability exists in the CGI binary which can modify the quality of
the video recorded on the camera. A sub-routine respondAsp is called that
copies a user-controlled parameter into a stack variable using strcpy
without any
bounds check. This makes the subroutine vulnerable to BoF and can be exploited
without authentication

x-----------x

Products:
- TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64)
- TV-IP121WN (V1.2.2 build 28)
Module affected: `watch.cgi`

A BoF vulnerability exists in the `watch.cgi` binary and how it handles
the `url` parameter. An attacker can deliver its payload using a POST request
in the `url` parameter to trigger the BoF vulnerability without authentication.

x-----------x

CVE-ID: CVE-2018-19242
Products:
- TEW-632BRP (1.010B32)
- TEW-673GRU (v1.00b40)
Module affected: `apply.cgi`


Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRU
devices allows attackers to hijack the control flow to any attacker-specified
location by crafting a POST request payload(with authentication).


Reflective XSS
---------------

Products:
- TEW-632BRP (1.010B32)
- TEW-673GRU (v1.00b40)
- TEW-634GRU (v1.01B14)

Module affected: `login.cgi`

`Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a
reflected XSS
vulnerability that does not require any authentication.

Vendor Disclosure
------------------

The vulnerabilities had been notified to the vendor 12/03.
The vendor replied on 12/05 that since the products had reached their
end-of-life no future development or firmware updates
would be  provided for these devices.