userspace_fw_upgrade

Vulnerability

• In tplink deco firmware, tplink provides a web-ui based firmware update mechanism that accepts manually specified firmware images
• This code also has unconstrained sscanf reading the "fw-type" field from the user-provided firmware file into a fixed 256-byte stack buffer

Exploit Strategy

• Take control of PC by overflowing stack buffer enough to overwrite return address
• Point return address into range where kernel could mmap a 16MB file
• MIPS: Spray the firmware file with shellcode to catch whichever region ASLR selects
• ARM: To defeat NX protection on mmap'd pages, spray the firmware file with addresses of a ROP gadget in non-PIE binary that manipulates stack to jump to system@got entry with a specified command string

Payload

• MIPS: bind shell from metasploit
• ARM: reverse-ssh in bind mode

Possible Applicable Devices

• Many TP-Link Deco devices

Devices With Confirmed Working Exploit

• Deco S4 v2 firmware 1.6.1
• Deco X20 v3 firmware 1.1.8
• Deco M4R V3 firmware 1.6.1
• Deco M9+ V1 firmware 1.5.0
• Deco M9+ V2 firmware 1.5.0

Devices That Probably Work But Need Testers To Confirm

• Deco M5 V3.28 firmware 1.7.3

Building

python build_fw_mips.py > deco_fw_overflow_bindshell_mips.bin
python build_fw_mipsel.py > deco_fw_overflow_bindshell_mipsel.bin
python build_fw_arm.py m4rv3 > deco_fw_overflow_ssh_arm_m4rv3.bin
python build_fw_arm.py m9+v1 > deco_fw_overflow_ssh_arm_m9+v1.bin
python build_fw_arm.py m9+v2 > deco_fw_overflow_ssh_arm_m9+v2.bin
python build_fw_arm.py m5v3 > deco_fw_overflow_ssh_arm_m5v3.bin