########################################### Vulnerabilities found in TRENDnet devices Authors:Prashast Srivastava, Mathias Payer Howard Shrobe, Hamed Okhravi Author contact: https://github.com/prashast/ ########################################### Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices: Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP IP-Cameras: TV-IP110WN, TV-IP121WN These were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. A more detailed breakdown is presented below on a per vulnerability basis:- Command Injection ------------------ CVE-ID: CVE-2018-19239 Product: TEW-673GRU Module affected: `start_arpping` function in `timer` binary Firmware version: v1.00b40 TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vulnerability in the `start_arpping` function of the `timer binary`, which allows remote attackers to execute arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and lan_ipaddr) passed to the apply.cgi binary through a POST request. Exploiting the vulnerability requires a user to be authenticated with the router with administrative credentials. The `start_arpping` function reads the following values from the NVRAM namely: dhcpd_start, dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then passed to the `arpping` utility without any sort of sanity checks. Out of these values, the outward facing configuration webserver(httpd) running at `IP:192.168.10.1 Port: 80` allows a user to modify the first three values `dhcpd_start`, `dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration webpage available at `http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi` binary with the appropriate parameters. We have observed that the by directly making a POST request to the `apply.cgi` binary with the values of the above mentioned three parameters containing Command Injection based payloads, it is possible to execute arbitrary commands on the router with root privileges. Buffer Overflows ------------------ CVE-ID: CVE-2018-19240 Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `network.cgi` Buffer overflow can be exploited by using the `iptype` parameter in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload (without authentication) x-----------x CVE-ID: CVE-2018-19241 Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `video.cgi` A BoF vulnerability exists in the CGI binary which can modify the quality of the video recorded on the camera. A sub-routine respondAsp is called that copies a user-controlled parameter into a stack variable using strcpy without any bounds check. This makes the subroutine vulnerable to BoF and can be exploited without authentication x-----------x Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `watch.cgi` A BoF vulnerability exists in the `watch.cgi` binary and how it handles the `url` parameter. An attacker can deliver its payload using a POST request in the `url` parameter to trigger the BoF vulnerability without authentication. x-----------x CVE-ID: CVE-2018-19242 Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) Module affected: `apply.cgi` Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRU devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload(with authentication). Reflective XSS --------------- Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) - TEW-634GRU (v1.01B14) Module affected: `login.cgi` `Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a reflected XSS vulnerability that does not require any authentication. Vendor Disclosure ------------------ The vulnerabilities had been notified to the vendor 12/03. The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices.