Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-17147 PoC — TP-Link TL-WR841N 缓冲区错误漏洞

Source
https://github.com/DrmnSamoLiu/CVE-2019-17147_Practice_Material
Associated Vulnerability
Title:TP-Link TL-WR841N 缓冲区错误漏洞 (CVE-2019-17147)
Description:TP-Link TL-WR841N是中国普联(TP-Link)公司的一款无线路由器。 TP-LINK TL-WR841N中的Web服务(默认情况下监听TCP 80端口)存在缓冲区错误漏洞,该漏洞源于程序没有正确检查边界。远程攻击者可借助特制HTTP请求利用该漏洞在admin用户的上下文中执行任意代码。
Description
This repo contains dumped flash partitions with firmware version vulnerable to  CVE-2019-17147, and some useful binaries to downgrade and debug your WR841N router.
Readme
# CVE-2019-17147_Practice_Material
This repo contains dumped flash partitions with firmware version vulnerable to CVE-2019-17147, and some useful binaries to downgrade and debug your WR841N(V14) router.
<br><br>
**Doing hardware modifications such as overwriting flash chip partitions have its risks. Evaluate the risks and decide for yourself if you want to do it or not.**

## Why?
The post from ZDI: [https://www.zerodayinitiative.com/blog/2019/12/2/mindshare-hardware-reversing-with-the-tp-link-tl-wr841n-router-part-2](https://www.zerodayinitiative.com/blog/2019/12/2/mindshare-hardware-reversing-with-the-tp-link-tl-wr841n-router-part-2) demonstrated a very interesting vulnerability that I would really like to try out and learn something from.<br>
Unfortunately the Firmware version ``(US) 0.9.1 4.16 v007c.0 Build 180613 Rel.42415n`` is already taken down from the US website and can no longer be downloaded. <br>However I do have some WR841N that is running firmware version ``(TW) 0.9.1 4.16 v009e.0 Build 180516 Rel.81030n``, which is older than the one ZDI exploited and the same vulnerability still exsist.<br>
<br>
I guess many more people would be interested in reproducing this exploit but are facing the same problem that they are unable to find a working WR841N which is running vulnerable version of firmware. <br>If you are using TW, EU or JP version hardware, it is still possible to download firmware version older than 180613 (which means it's built on 2018/06/13) and downgrade your router just by "upgrading" it with old firmware from official website.<br><br>
Although firmware downgrade is possible, WR841N actually checks and won't accept firmware that is meant for hardware sold in different countries. So for those people living in the countries where TP-Link don't provide vulnerable version of firmware on their website (For example, US), they will need to bypass the check in http server and write vulnerable firmware directly into the flash chip of their device. That's what this repo is mainly for.<br>
<br>
I've also cross compiled static ``busybox`` and ``gdbserver`` that works on WR841N for anyone who would like to try to debug and recreate the exploit.

## Backup your flash partitions
Before attempting to overwrite your flash partitions, you should backup current ones so that you can restore your router after you're done playing with this vulnerable version.

I assume you are already familiar with using the serial console so I'll skip the hardware part.<br>

1. Set up a tftp server on the machine of your choice.

2. In WR841N console:
<br>(Replace the ip address with your tftp server)
```
~ # cat /dev/mtd0 > /var/WR841N_backup_mtd0_boot.bin
~ # tftp -p -r /var/WR841N_backup_mtd0_boot.bin 192.168.0.100
~ # rm /var/WR841N_backup_mtd0_boot.bin
~ #
~ # cat /dev/mtd1 > /var/WR841N_backup_mtd1_kernel.bin
~ # tftp -p -r /var/WR841N_backup_mtd1_kernel.bin 192.168.0.100
~ # rm /var/WR841N_backup_mtd1_kernel.bin
~ #
~ # cat /dev/mtd2 > /var/WR841N_backup_mtd2_rootfs.bin
~ # tftp -p -r /var/WR841N_backup_mtd2_rootfs.bin 192.168.0.100
~ # rm /var/WR841N_backup_mtd2_rootfs.bin=
```

3. Check the .bin files with binwalk to make sure you have successfully backup your flash partitions.<br><br><br>

## How to overwrite flash partition with vulnerable ones
Flash partitions in WR841N is as follows:

```
dev:    size   erasesize  name
mtd0: 00010000 00010000 "boot"
mtd1: 000f0000 00010000 "kernel"
mtd2: 002e0000 00010000 "rootfs"
mtd3: 00010000 00010000 "config"
mtd4: 00010000 00010000 "radio"
```
The main partition you need to overwrite is ```rootfs``` (mtd2), but for stability's sake we'll overwrite ```boot``` and ```kernel``` too.<br>
I did not provide ```config``` and ```radio``` partition because they did not affect the vulnerability and you certainly don't want to mess with RF settings to avoid potential legal problems.

---
1. Transfer ``flashcp`` into WR841N with tftp.

In the WR841 shell:
```
~ # cd /var
/var # tftp -g -r flashcp 192.168.0.100
/var # chmod +x flashcp
```

(Replace the IP address with your machine that is running tftp server, of course.)

---
 
2. Transfer ``TW_wr841N_mtd0_boot_180516.bin`` into WR841N and overwrite with ``flashcp``:
```
/var # tftp -g -r TW_wr841N_mtd0_boot_180516.bin 192.168.0.100
/var # ./flashcp TW_wr841N_mtd0_boot_180516.bin /dev/mtd0
/var # rm TW_wr841N_mtd0_boot_180516.bin
```
<br>
Note: The order of partition you transfer and overwrite does not matter, but make sure you do them **ONE BY ONE** and not transfer all the .bin files to WR841N at once.<br> Remove the .bin you already flashed before transferring next one. The router have very limited memory and it will crash if you transfer too much stuff to its ramfs!

<br>

---
3. Transfer ``TW_wr841N_mtd1_kernel_180516.bin`` into WR841N and overwrite with ``flashcp``:
```
/var # tftp -g -r TW_wr841N_mtd1_kernel_180516.bin 192.168.0.100
/var # ./flashcp TW_wr841N_mtd1_kernel_180516.bin /dev/mtd1
/var # rm TW_wr841N_mtd1_kernel_180516.bin
```

---

4. Transfer ``TW_wr841N_mtd2_rootfs_180516.bin`` into WR841N and overwrite with ``flashcp`` (This is the largest partition so flashcp will take some time to finish):
```
/var # tftp -g -r TW_wr841N_mtd2_rootfs_180516.bin 192.168.0.100
/var # ./flashcp TW_wr841N_mtd2_rootfs_180516.bin /dev/mtd2
/var # rm TW_wr841N_mtd2_rootfs_180516.bin
```

---

5. Reboot the router and you should see its web management page become all traditional Chinese, and the firmware version is ``0.9.1 4.16 v009e.0 Build 180516 Rel.81030n``.

<br><br>

![FW](https://github.com/DrmnSamoLiu/CVE-2019-17147_Practice_Material/raw/main/Img/FW.png)

## Notes

1. The PoC provided by ZDI won't work out of the box on the firmware version provided here, memory offsets are different. You should try to modify ZDI's PoC or create your own exploit :) <br><br>
2. All the binaries are cross compiled by myself with ``buildroot-2021.02.6``.<br><br>
3. The language of the firmware shouldn't affect much since most of the work to debug and develop exploit are done in the console. However I could try to build flashable partitions from vulnerable EU or JP version if someone really needs it and made a request.<br><br>
4. Needless to say, doing hardware modifications such as overwriting flash chip partitions have its risks. Evaluate the risks and decide for yourself if you want to do it or not.
File Snapshot

 [4.0K]  /data/pocs/43a6b26063b199ed704a0f232b7417120d081dac
├── [1.3M]  busybox_1.33.1_musl_mipselr2
├── [152K]  flashcp
├── [4.0K]  Flash_partition
│   ├── [ 64K]  TW_wr841N_mtd0_boot_180516.bin
│   ├── [960K]  TW_wr841N_mtd1_kernel_180516.bin
│   └── [2.9M]  TW_wr841N_mtd2_rootfs_180516.bin
├── [1.1M]  gdbserver_9.2_musl_mipselr2
├── [4.0K]  Img
│   └── [ 52K]  FW.png
└── [6.2K]  README.md

2 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.