InfoSecBulletin Cybersecurity for mankind
Rocco Calvi, a security researcher, discovered a serious flaw in the TP-Link AX1800 WiFi 6 Router (Archer AX21/AX20) that enables local network attackers to execute code remotely as the root user.
CVE-2023-28760 is a high-severity vulnerability (CVSS 7.5) in the MiniDLNA service of the router’s media-sharing feature. As described in the CVE Records, “TP-Link AX1800 WiFi 6 Router (Archer AX21) devices allow unauthenticated attackers (on the LAN) to execute arbitrary code as root via the db_dir field to minidlnad. The attacker obtains the ability to modify files.db, and that can be used to reach a stack-based buffer overflow in minidlna-1.1.2/upnpsoap.c.”
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
The flaw affects devices where users have hooked up a USB drive for local file sharing, commonly accessed through \\192.168.0.1, a setup used by many homes for streaming and storage.
The discovery centers around a weakness in the .TPDLNA/files.db database created when Media Sharing is enabled on the router. According to Calvi, “By default, Samba for Windows and Local FTP are enabled, and Media Sharing is enabled on the device, which means that the MiniDLNA, ProFTPd, and Samba services will start automatically for the USB share.”
Attackers on the same LAN can manipulate the database via SMB or FTP due to a design flaw. This vulnerability comes from improper bounds checking in the SQL query result processing of MiniDLNA.
“During our static code analysis of the file minidlna-1.1.2/upnpsoap.c, we identified a vulnerability that resulted from improper bounds checking… the vendor assumed that the vulnerability was not reachable by an attacker and therefore did not patch it.”
This oversight proved costly. The database file (files.db) can be directly modified by any user with network access to the shared USB drive because the MiniDLNA configuration file /tmp/minidlna.conf exposes the database path:
db_dir=/mnt/sda1/.TPDLNA
By altering the data in files.db, attackers can cause a buffer overflow, allowing them to execute code on the router.
The exploit occurs when the DLNA processing function copies metadata fields to a fixed-size buffer. If a crafted dlna_pn (DLNA profile name) exceeds this size, it overwrites the stack memory.
As Calvi explains, “If the dlna_pn variable contains more characters than the buffer can hold, it will cause a stack-based buffer overflow, allowing an attacker to overwrite the stack and potentially execute arbitrary code on the router.”
The attacker can then chain this overflow into return-oriented programming (ROP) to bypass security mitigations such as ASLR (Address Space Layout Randomization) and NX (No-eXecute).
“To overcome the exploit mitigations of ASLR and the NX bit, as well as the null byte restriction imposed by sprintf, we found a one gadget that allowed us to redirect execution to a single instruction despite the null byte limitation.”
The analysis highlights the use of a “one gadget” technique that redirects execution flow to the system() function within the router’s firmware, effectively granting command-line access to the attacker as root:
00015ed4 06 0d 8d e2 add r0,sp,#0x180
00015ed8 cb f6 ff eb bl <EXTERNAL>::system int system(char * __command)
Once successful, the attacker gains full control over the router, enabling command execution, data exfiltration, or lateral movement within the home network.
The research team develop a proof-of-concept exploit to show the vulnerability at the Pwn2Own competition, where exploits are demonstrated responsibly. They successfully gained remote access to the router.
TP-Link has fixed a reported issue in firmware version Archer AX20(EU)_V3_1.1.4 Build 20230219. Users of the affected routers should upgrade right away. Find the latest firmware and instructions here.
