CVE-2023-49133,CVE-2023-49134
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Tp-Link N300 Wireless Access Point (EAP115) v5.0.4 Build 20220216
Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926
AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) - https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225/ N300 Wireless Access Point (EAP115) - https://www.tp-link.com/us/business-networking/ceiling-mount-access-point/eap115/
8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
The EAP225(US) AC1350 Access Point is a wireless access point from TP-Link offering native integration with tp-link Omada Cloud SDN for centralized cloud management and zero-touch provisioning.
The EAP225 and EAP115 Wireless Access Points run various services to manage the access point. One such service is tddpd which listens on UDP port 1024 for the first 15 minutes after the device is restarted. By default, this service is running as the root user. The tddpd service exposes unauthenticated access to device functionality normally intended for troubleshooting activities. Implemented functionality appears to change depending on the device.
tddpd request messages consist of an 0x1C byte header followed by a data field only used by some commands, as shown below.
struct tddp_header {
uint8_t version, // protocol version (0x01 or 0x02)
uint8_t type, // TDDP_SPECIAL_CMD_OPT_Subtype (0x03) or TDDP_ENC_CMD_OPT_Subtype (0x07)
uint8_t code, // 0x01
uint8_t direction, // 0x00 for request
uint32_t pay_len, // number of bytes contained within the payload
uint16_t pkt_id, // 0x01
uint8_t sub_type, // TDDP_SPECIAL_CMD_OPT or TDDP_ENC_CMD_OPT depending on `type`
uint8_t reserved, // 0x00
uint8_t[0x10] digest, // MD5 digest of the message
}
The affected devices mainly use version 2 of the tddp service, implementing two of the available request types: TDDP_SPECIAL_CMD_OPT and TDDP_ENC_CMD_OPT. When a TDDP_SPECIAL_CMD_OPT request is chosen, the device loops over all of the available special command types searching for a matching function. Two of the available sub-requests (0x4B and 0x4F) cause the device to enter a Test Mode.
0040161c int32_t _enableTestMode()
00401630 int32_t var_14 = 0
00401634 int32_t var_18 = 0
00401664 int32_t $v0 = wrpOpDo(0x240007, 0, 0, &var_14, 4, 0, 0x423640)
0040168c int32_t var_10
0040168c if ($v0 != 0 || ($v0 == 0 && var_14 != 0))
004016b0 printf("[TDDP_ERROR]<error>[%s:%d] faileā¦", "_enableTestMode", 0x14b)
004016c0 var_10 = 0xffffffff
0040168c if ($v0 == 0 && var_14 == 0)
004016cc var_10 = 0
004016dc return var_10
A majority of core functionality on these devices is handled within a service called uclited, and the various network services simply provide a way of acccessing these functions over the network. In this case we focus on a functionality titled enableTestMode, which is only exposed via tddpd. This appears to be debugging/diagnotic functionality not intended for normal users. This functionality is rather straightforward in that it fetches a shell script via TFTP from a hard-coded IP address and executes it.
Using this vulnerablity, a properly positioned network attacker can manipulate the device into fetching and executing an untrusted shell script with root permissions.
On the AC1350 (EAP225 V3_5.1.0 Build 20220926) the vulnerable function is located at offset 0x47b264, which is titled api_wlan_enableTestMode. An annotated decompilation of this function is included below, for reference.
int32_t api_wlan_enableTestMode() {
struct stat buf;
memset(&buf, 0, 0x98);
int32_t i;
do {
i = execFormatCmd("arping -I %s -c 1 192.168.0.100", "br0") // [1] Check for the existence of a system at 192.168.0.100
} while (i == 1);
execFormatCmd("tftp -g 192.168.0.100 -r test_mode_tp.sh -l /tmp/test_mode_tp.sh"); // [2] TFTP Get a file named `test_mode_tp.sh` from 192.168.0.100
stat("/tmp/test_mode_tp.sh", &buf);
int32_t result = 1;
if (buf.st_size s> 0) { // [3] If the file was successfully fetched...
execFormatCmd("chmod +x /tmp/test_mode_tp.sh"); // [4] Mark the file as executable
execFormatCmd("/tmp/test_mode_tp.sh &"); // [5] and finally execute the shell script with root permissions
result = 0;
}
return result;
}
On the N300 (EAP115 V4_5.0.4 Build 20220216) the vulnerable function is located at offset 0x47159c, which is titled api_wlan_enableTestMode. An annotated decompilation of this function is included below, for reference.
int32_t api_wlan_enableTestMode() {
struct stat buf;
memset(&buf, 0, 0x98);
int32_t i;
do {
i = execFormatCmd("arping -I %s -c 1 192.168.0.100", "br0") // [1] Check for the existence of a system at 192.168.0.100
} while (i == 1);
execFormatCmd("tftp -g 192.168.0.100 -r test_mode_tp.sh -l /tmp/test_mode_tp.sh"); // [2] TFTP Get a file named `test_mode_tp.sh` from 192.168.0.100
stat("/tmp/test_mode_tp.sh", &buf);
int32_t result = 1;
if (buf.st_size s> 0) { // [3] If the file was successfully fetched...
execFormatCmd("chmod +x /tmp/test_mode_tp.sh"); // [4] Mark the file as executable
execFormatCmd("/tmp/test_mode_tp.sh &"); // [5] and finally execute the shell script with root permissions
result = 0;
}
return result;
}
The vendor released new firmware at: https://www.tp-link.com/us/support/download/eap115/v4/#Firmware https://www.tp-link.com/us/support/download/eap225/v3/#Firmware
2023-12-11 - Vendor Disclosure
2024-04-03 - Vendor Patch Release
2024-04-09 - Public Release
Discovered by the Vulnerability Discovery and Research team of Cisco Talos.