Skip to content

Latest commit

 

History

History
57 lines (50 loc) · 3.33 KB

README.md

File metadata and controls

57 lines (50 loc) · 3.33 KB

Vulnerability

  • In tplink deco firmware, a modification was made to uboot to add http upload functionality to support firmware installation directly from the bootloader as a failsafe procedure
  • This modification introduced an unconstrained sscanf reading the "fw-type" field from the user-provided firmware file into a fixed 256-byte stack buffer

Exploit

  • Take control of PC by overflowing stack buffer enough to overwrite return address
  • Point new return address to location within user-submitted firmware file to run arbitrary shellcode

Shellcode

Developed to load a boot image via tftp and execute it from RAM, as if following commands were run from a uboot prompt:

setenv serverip 192.168.0.2
setenv ipaddr 192.168.0.1
tftpboot 0x82000000 initramfs-kernel.bin
bootm 0x82000000
  • dynamically search RAM for required uboot symbols addresses (run_command, NetReceive) so shellcode works on multiple devices with slightly different u-boot builds

Possible Applicable Devices

According to tplink, uboot http recovery is present on the following devices:

  • Deco E4
  • Deco M4
  • Deco P9
  • Deco M9 Plus
  • Deco X20/X60 V1 (firmware 1.2.5 or later version)
  • Deco X20 V1.2 and later version
  • Deco X60 V2 and later
  • Deco S4

but these devices come in different "versions" which may have completely different hardware and uboot

Devices With Confirmed Working Exploit

Devices that will not work with exploit

  • Deco S4 v3.6 (ARM board)
  • Deco M9 Plus V1 and V2 (ARM board)
  • Deco M4R V3 (ARM board)
  • Deco X20 V3 (different firmware validation code)

Building

export STAGING_DIR=~/tplink/openwrt/staging_dir/
$STAGING_DIR/toolchain-mips_24kc_gcc-11.3.0_musl/bin/mips-openwrt-linux-musl-as -march mips32r2 shellcode.asm -o shellcode.o
$STAGING_DIR/toolchain-mips_24kc_gcc-11.3.0_musl/bin/mips-openwrt-linux-musl-ld -T shellcode.lk shellcode.o -o shellcode$STAGING_DIR/toolchain-mips_24kc_gcc-11.3.0_musl/bin/mips-openwrt-linux-musl-objcopy -j ".text" -O binary shellcode shellcode.bin
python build_fw.py > deco_all_webfailsafe_faux_fw_tftp.bin