TP-Link Archer C50 is a popular router on Amazon.in with over 7K reviews and ratings and it is marked as Amazon's Choice!
Vulnerability : The Web Interface in Archer C50 V3 is vulnerable to a Denial of Service when anyone in network sends a specially crafted HTTP Header containing an unexpected Referer field.
- Type of Vulnerability : Denial of Service
- Device : TP-Link Archer C50 V3
- CVE : CVE-2020-9375
- CVE Status : Assigned
- Discovered By : Lohitya Pushkar
- Vulnerable Version : Build 171227 and below
- Patch : Available! Build 200218
Attacking Setup
- Connected with the router through WiFi/LAN
- Operating System : Arch Linux 5.4.13-arch1-1 x86_64
Exploit
Let's verify if we can access the gateway and port 80 is open
As we can see port 80 is open and we can access router login page. Now we will create a new text file, I used headers.txt as file name for this step, in this file we will input the headers we want to send with the request we will be making later on
I am using Host, User-Agent and Referer in headers, Host and User-Agent are in standard format and are correct but take a look at Referer, the correct format of Referer field is as shown below :
Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScriptThis is the point where the vulnerability is triggered, if we send Referer in incorrect format, the service on port 80 crashes and the port closes. Now let's try to trigger this vulnerability using curl, we will issue a simple GET request with the command below, to provide headers we will use -H argument of curl and specify our file which contains header i.e. headers.txt
In a normal scenario we get a status code along with the output of GET request but here we get Empty reply from server, which means the service crashed before it could reply and the connection was closed, now let’s check nmap again to see if port 80 is still open
And the port is closed, our exploit was successful and it resulted in a Denial of Service as the web interface cannot be accessed now until we reboot the router manually. Similarly we can make a custom script and automate the whole process making it easy and fast, an example is shown below
Disclosure Timeline
| Date | Event |
|---|---|
| 25-01-2020 | I sent information about the vulnerability to TP-Link |
| 26-01-2020 | TP-Link asked for a write-up and PoC |
| 26-01-2020 | I sent both write-up and PoC |
| 04-02-2020 | TP-Link says there is some permission issue with files and a disclosure period of 120 days is decided |
| 04-02-2020 | I sent both files again and acknowledge a 120 day disclosure period |
| 15-02-2020 | TP-Link acknowledges about getting both files |
| 17-02-2020 | TP-Link says the firmware in writeup is old a newer version is available and asks to test on that |
| 17-02-2020 | I acknowledged and tested and the latest build was also vulnerable |
| 19-02-2020 | TP-Link sends a patch for testing |
| 19-02-2020 | I tested and patch worked, I notified TP-Link and asked about when an update will be available |
| 20-02-2020 | TP-Link says it's an old version and they are not sure about an update |
| 21-02-2020 | TP-Link agrees for an update |
| 26-02-2020 | TP-Link says firmware will be available soon |
| 27-02-2020 | TP-Link says firmware is now available on their official download page |
PoC
