CVE-2020-9375 TP-Link Archer C50 v3 Denial of Service

TP-Link Archer C50 is a popular router on Amazon.in with over 7K reviews and ratings and it is marked as Amazon's Choice!

Vulnerability : The Web Interface in Archer C50 V3 is vulnerable to a Denial of Service when anyone in network sends a specially crafted HTTP Header containing an unexpected Referer field.
Type of Vulnerability : Denial of Service
Device : TP-Link Archer C50 V3
CVE : CVE-2020-9375
CVE Status : Assigned
Discovered By : Lohitya Pushkar
Vulnerable Version : Build 171227 and below
Patch : Available! Build 200218

Attacking Setup

Connected with the router through WiFi/LAN
Operating System : Arch Linux 5.4.13-arch1-1 x86_64

Exploit

Let’s verify if we can access the gateway and port 80 is open

CVE-2020-9375 TP-Link Archer C50 v3 Denial of Service

As we can see port 80 is open and we can access router login page. Now we will create a new text file, I used headers.txt as file name for this step, in this file we will input the headers we want to send with the request we will be making later on

CVE-2020-9375 TP-Link Archer C50 v3 Denial of Service

I am using Host, User-Agent and Referer in headers, Host and User-Agent are in standard format and are correct but take a look at Referer, the correct format of Referer field is as shown below :

Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
This is the point where the vulnerability is triggered, if we send Referer in incorrect format, the service on port 80 crashes and the port closes.
Now let’s try to trigger this vulnerability using curl, we will issue a simple GET request with the command below, to provide headers we will use -H argument of curl and specify our file which contains header i.e. headers.txt

CVE-2020-9375 TP-Link Archer C50 v3 Denial of Service

In a normal scenario we get a status code along with the output of GET request but here we get Empty reply from server, which means the service crashed before it could reply and the connection was closed, now let’s check nmap again to see if port 80 is still open

CVE-2020-9375 TP-Link Archer C50 v3 Denial of Service

And the port is closed, our exploit was successful and it resulted in a Denial of Service as the web interface cannot be accessed now until we reboot the router manually.
Similarly we can make a custom script and automate the whole process making it easy and fast, an example is shown below

CVE-2020-9375 TP-Link Archer C50 v3 Denial of Service

Disclosure Timeline

25-01-2020 I sent information about the vulnerability to TP-Link
26-01-2020 TP-Link asked for a write-up and PoC
26-01-2020 I sent both write-up and PoC
04-02-2020 TP-Link says there is some permission issue with files and a disclosure period of 120 days is decided
04-02-2020 I sent both files again and acknowledge a 120 day disclosure period
15-02-2020 TP-Link acknowledges about getting both files
17-02-2020 TP-Link says the firmware in writeup is old a newer version is available and asks to test on that
17-02-2020 I acknowledged and tested and the latest build was also vulnerable
19-02-2020 TP-Link sends a patch for testing
19-02-2020 I tested and patch worked, I notified TP-Link and asked about when an update will be available
20-02-2020 TP-Link says it's an old version and they are not sure about an update
21-02-2020 TP-Link agrees for an update
26-02-2020 TP-Link says firmware will be available soon
27-02-2020 TP-Link says firmware is now available on their official download page