==============================================================
Unauthenticated Stored Cross-site Scripting in Multiple TP-Link Devices
==============================================================

Overview
========

Title:- Unauthenticated Stored Cross-site Scripting in TP-Link Devices.
CVE-ID :- CVE-2021-3275
Author: Smriti Gaba, Kaustubh Padwad
Vendor: TP-LINK (https://www.tp-link.com)
Products:
1. DSL and DSL Gateway
2. Access Points
3. WIFI Routers


Tested Version: : Multiple versions of DSL & DSL Gateway, WIFI Routers and
Access Points including:

-------------------------------------------------------------------------------
Model             |   Firmware Version
    |
-------------------------------------------------------------------------------
TD-W9977          |
TD-W9977v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15 |
TL-WA801ND        | TL-WA801NDv5_US_0.9.1_3.16_up_boot[170905-rel56404]
   |
TL-WA801N         | TL-WA801Nv6_EU_0.9.1_3.16_up_boot[200116-rel61815]
    |
TL-WR802N         | TL-WR802Nv4_US_0.9.1_3.17_up_boot[200421-rel38950]
    |
Archer-C3150      | ArcherC3150(US)_V2_170926)
    |
-------------------------------------------------------------------------------

Severity: Med-High

About the Product:
==================

* The (products from above list)  are high performance WIFI
Routers(Wireless AC routers), Access Points, ADSL + DSL Gateways and
Routers.
* Provides Configuration modes: Access Point mode, Router Mode, Range
Extender mode.
* Provide Ethernet and other interfaces to meet the access requirements of
different devices.
* It can provide high-performance functionalities, services for home users,
individual users, and businesses.
* Supports multiple functionalities including CWMP management, TR069
Configuration, SNMP management, Traffic statistics, etc.

Description:
============
An issue was discovered, common to all the TP-Link products including WIFI
Routers(Wireless AC routers), Access Points, ADSL + DSL Gateways and
Routers.
This affected TD-W9977v1,TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, Archer
C3150v2 devices.
A malicious XSS payload if injected in hostname of Wireless Client devices
connected to TP-Link device, allows remote attackers to execute
unauthenticated malicious scripts because of improper validation of
hostname. Some of the pages including dhcp.htm, networkMap.htm,
dhcpClient.htm, qsEdit.htm, qsReview.htm and others use this vulnerable
hostname function(setDefaultHostname()) without sanitization and push the
value of hostname ($defaulthostname) directly to the ACT stack along with
other parameters. The ACT stack is called on for multiple operation ids
covering LAN, WAN and while intialisation of multiple tables (arp, dhcp,
client list) across the device. For example, ACT_SET stack for WAN_IP_CONN
is called while dhcp operation, during which value of vulnerable
defaulthostname is being assigned to parameter X_TP_Hostname and pushed to
stack.
This causes XSS at all the endpoints which display hostname for example:
Wireless client information table, ARP bind table such as networkMap, DHCP.


Additional Information
========================
The hostname value is only validated on ASCII characters, while there is no
validation for Non-ASCII characters which allows hostname with XSS payload
say "<script>alert('XSS')</script>" to execute.
This value of hostname is pushed to an array as plain text along with IP
address and MAC address in initClientListTable() function, and other tables
use the same value of hostname accross the device. This array is then
returned to the callback function which in turn is called from proxy.js.
This data is pushed to stack corresponding to operation:"LAN_HOST_ENTRY"
(vary for different firmware), operation id: "gl" (gl is getList function).
As client initiates request with operation id:"LAN_HOST_ENTRY" and oid:
"gl", $dm.getList and $.act is called which fetches the corresponding stack
and sends data to ajax call. The crafted value of hostname is sent to the
device and results in execution of payload.


[Affected Component]
hostName parameter inside different htm pages including DHCP, DhcpAP,
ArpBind, networkMap.

------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true

------------------------------------------
[Attack Vectors]
Malicious payload execution on initiating request for Wireless Client List
table or DHCP html page.

[Vulnerability Type]
====================
Stored Cross-site Scripting

How to Reproduce: (POC):
========================

    1. Change the default hostname of wireless client by using following
command (for Linux):
        a. vi /etc/dhcp/dhclient.conf
        b. Insert and change the value of hostname to xss payload
"<script>alert('XSS')</script>"
    2. Renew IP address by sending DHCP request to TP-Link device via
following command:
        a. vi /etc/network/interfaces
        b. Add these lines:
            auto wlan0
            iface wlan0 inet dhcp
        c. On Terminal run command: ifup wlan0
    3. Login to the router web interface, navigate to DHCP settings or
Wireless Client tab.
    4. As soon as DHCP or Wireless client table is requested Xss payload
executes and pops up alert box.

Mitigation
==========

 ---------------------------------------------------------------------------------------------------------
| Model             |   Firmware Version
       | Mitigation Comments   |
 ---------------------------------------------------------------------------------------------------------
| TL-WA801ND        | TL-WA801NDv5_US_0.9.1_3.16_up_boot[170905-rel56404]
      | Patched               |
| TL-WA801N         | TL-WA801Nv6_EU_0.9.1_3.16_up_boot[200116-rel61815]
       | Patched               |
| TL-WR802N         | TL-WR802Nv4_US_0.9.1_3.17_up_boot[200421-rel38950]
       | Patched               |
| Archer-C3150      | ArcherC3150(US)_V2_170926)
       | EOL Product           |
| TD-W9977          |
TD-W9977v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15  | EOL Product
        |
 ---------------------------------------------------------------------------------------------------------

Link for patched software version for products:
    1. TL-WA801ND -
https://tp-link.com/beta/2021/202101/20210120/TL-WA801NDv5_US_0.9.1_3.16_up_boot[210119-rel61453].zip
    2. TL-WA801N -
https://tp-link.com/beta/2021/202101/20210120/TL-WA801Nv6_EU_0.9.1_3.16_up_boot[210119-rel62190].zip
    3. TL-WR802N -
https://tp-link.com/beta/2021/202101/20210120/TL-WR802Nv4_US_0.9.1_3.17_up_boot[210119-rel63071].zip

[Vendor of Product]
TP-LINK (https://www.tp-link.com)

Disclosure Timeline:
===================
24-July-2020 Discoverd the vulnerability
11-Aug-2020 Responsibly disclosed vulnerability to vendor
15-Aug-2020 Vendor Acknowledged the disclosure
17-Nov-2020 Communicated with vendor after 90 days for updates
19-Nov-2020 Vendor asked for model and version details
20-Nov-2020 Provided the required details to vendor
25-Nov-2020 Vendor provided software build to verify the issue
9-Dec-2020 Issue not fixed in the provided software.
4-Jan-2021 Asked Updates on the status of the issue.
20-Jan-2021 Vendor provided software build to verify the issue.
20-Jan-2021 Issue found fixed in the provided software.
21-Jan-2021 Requested for CVE-ID assignment
25-March-2021 CVE-ID Assigned.

credits:
========

* Smriti Gaba
* Security Researcher
* smritigaba548@gmail.com
* https://www.linkedin.com/in/smriti-gaba-658795135/

* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast