Tuesday, January 21, 2025
HomeCVE/vulnerabilityPoC Exploit Released for TP-Link Code Execution Vulnerability (CVE-2024-54887)

PoC Exploit Released for TP-Link Code Execution Vulnerability (CVE-2024-54887)

Published on

SIEM as a Service

Follow Us on Google News

A serious code execution vulnerability in the TP-Link TL-WR940N router, identified as CVE-2024-54887, has become the focus of intense scrutiny following the release of a proof-of-concept (PoC) exploit.

This vulnerability allows attackers to execute arbitrary code on the device remotely without authentication, posing significant risks to network security.

The following article provides an overview of the vulnerability, the exploit development process, and the implications for users and manufacturers.

Understanding CVE-2024-54887

CVE-2024-54887 specifically targets TP-Link TL-WR940N routers running hardware versions 3 and 4. The vulnerability arises from improper validation of HTTP parameters, particularly in the DNS server settings for IPv6.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The vulnerable parameters dnsserver1 and dnsserver2 can be exploited through stack buffer overflow, which can overwrite critical memory regions, leading to control over the device’s execution flow.

Configuring DDNS sends a request to the NoipDddnsRpm.htm endpoint with 4 parameters
Configuring DDNS sends a request to the NoipDddnsRpm.htm endpoint with 4 parameters

The discovery of this vulnerability originated from an interest in reverse engineering and exploit development. Using tools like Firmadyne, researchers have been able to emulate the router’s firmware, allowing for dynamic and static analysis.

According to the InfoSec in Medium, Static analysis revealed that the router firmware lacked significant protections, such as NX (Non-Executable) and PIE (Position Independent Executable), indicating potential avenues for exploitation.

The researcher identified that while most parameters in the router’s HTTP requests incorporated basic string length checks, the DNS server parameters did not. By sending oversized requests, an attacker could manipulate the execution flow, leading to a stack overflow.

Exploit Development

The exploit was developed by constructing a crafted HTTP request aimed at overflowing the buffer used for the DNS server settings. Here’s the key component of the Python script, which encapsulates the exploit:

#!/usr/bin/python3

import urllib.parse

import requests

import struct

def exploit(session_url, auth):

    print("[+] Sending exploit to: " + session_url + "Wan6to4TunnelCfgRpm.htm")

    libc_base = 0x2aae2000  # Base address for libc

    shellcode = b"\x24\x0f\xff\xfa\x01\xe0\x78..."  # Truncated for brevity

    # Craft payload

    payload = 'A' * 596  # Buffer overflow

    # NOP sled for shellcode

    payload += b'\x27\x70\xc0\x01'  # NOP instruction

    # Adding gadgets and shellcode

    payload += struct.pack(">I", libc_base + 0x3680c)  # Gadget for execution control

    payload += b"B" * 40  # Padding to shellcode

    payload += shellcode  # Actual shellcode

    # Complete URL with exploit

    exploit_url = session_url + "Wan6to4TunnelCfgRpm.htm?dnsserver1=" + payload

    requests.get(exploit_url, headers={"Cookie": auth})

# Additional functions for authentication, etc. go here...

In this code:

  • The exploit function crafts an HTTP request that includes a carefully structured payload designed to exploit the buffer overflow.
  • The payload begins with a series of ‘A’ characters to fill the buffer, includes a NOP sled, and finally the shellcode that will gain remote access to the router.

Utilizing Return-Oriented Programming (ROP)

Given the lack of ASLR (Address Space Layout Randomization) on the device, the exploit leverages ROP to maintain control flow post-exploitation.

The attacker constructs a chain of gadgets—small sequences of instructions that perform various tasks, ultimately leading to the execution of the shellcode.

The critical gadgets are organized to facilitate calling the shellcode after a sleep function, allowing time for the exploit to succeed.

The implications of CVE-2024-54887 are severe. If successfully exploited, attackers could gain complete control over the affected devices, leading to potential data breaches and unauthorized access to connected networks. Users are urged to:

  • Update Firmware: Check for the latest firmware updates from TP-Link and apply them promptly.
  • Strengthen Security: Use strong passwords and disable features like remote management that may expose the device.
  • Monitor Network Activity: Regularly review network traffic for unusual activity.

The release of the PoC exploit for CVE-2024-54887 is a sobering reminder of the vulnerabilities that can exist in widely used consumer devices.

 As the threat landscape evolves, users and manufacturers must remain vigilant. Security must be a collaborative effort to protect against potential exploits and ensure the safety of personal and organizational networks.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Microsoft Rolls Out New Administrator Protection Feature Under Windows Security

Microsoft has announced the release of Windows 11 Insider Preview Build 27774 to the...

New Contacto Ransomware Evades AV Detection & Uses Windows Console for Execution

In early January 2025, a new ransomware strain identified as Contacto surfaced, showcasing advanced...

OWASP Smart Contract Top 10 2025 Released – What’s new!

The Open Web Application Security Project (OWASP) has released its updated Smart Contract Top 10 for...

Ransomware Attack Forces UK Brit High School to Close Doors For Students

A ransomware attack has compelled UK Brit, a prominent British high school, to close...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Microsoft Rolls Out New Administrator Protection Feature Under Windows Security

Microsoft has announced the release of Windows 11 Insider Preview Build 27774 to the...

OWASP Smart Contract Top 10 2025 Released – What’s new!

The Open Web Application Security Project (OWASP) has released its updated Smart Contract Top 10 for...

Ransomware Attack Forces UK Brit High School to Close Doors For Students

A ransomware attack has compelled UK Brit, a prominent British high school, to close...