A critical vulnerability, CVE-2024-54887, has been discovered in the TP-Link TL-WR940N router, which could allow attackers to remotely execute arbitrary code without authentication. The issue stems from improper validation of HTTP parameters, particularly in the DNS server settings for IPv6. This flaw impacts hardware versions 3 and 4 of the router, enabling attackers to exploit a stack buffer overflow. Through this overflow, attackers can overwrite memory regions, granting them control over the device’s execution flow and potentially compromising connected networks.
The vulnerability was first identified through reverse engineering and exploit development efforts, which revealed a lack of essential protections in the router’s firmware. For instance, the router firmware lacks features such as NX (Non-Executable) and PIE (Position Independent Executable), which could have mitigated the risk of exploitation. The absence of these protections means that the device is more susceptible to attacks. By sending oversized requests to the router’s DNS server parameters, an attacker can trigger the buffer overflow, allowing them to manipulate the device’s behavior and gain unauthorized control.
Exploitation of this vulnerability involves sending a specially crafted HTTP request to the vulnerable endpoint of the router
Which includes a payload designed to overflow the buffer. The payload contains a NOP sled, followed by a series of gadgets that facilitate the execution of shellcode. The lack of ASLR (Address Space Layout Randomization) on the device allows attackers to predict memory addresses and use Return-Oriented Programming (ROP) to ensure that the shellcode is executed successfully. Once the exploit is triggered, attackers can gain remote access to the router, potentially leading to data breaches or other malicious activities.
To address this vulnerability, users are strongly advised to upgrade their routers to the latest firmware version, which fixes the flaw. Additionally, they should implement strong security practices, including using robust passwords and disabling features such as remote management to reduce exposure. Monitoring network traffic for suspicious activity is also recommended. The release of a proof-of-concept (PoC) exploit for CVE-2024-54887 serves as a wake-up call for both consumers and manufacturers to prioritize security in consumer devices.
