Vulnerability disclosure TP-Link multiples CVEs

by chmod750

TP-Link TL-SG108E Easy Smart Switch CVE-2017-8074 CVE-2017-8075 CVE-2017-8076 CVE-2017-8077 CVE-2017-8078

In May 2016, I made a little assessment on my own TP-Link switch. I found several vulnerabilities so I sent a complete report to TP-Link support to warn them. They answered me very professionally and declared that these vulnerabilities are mainly due to the technical limitation of the device. Since this date, no updates have been released.

The configuration of the switch can be performed through the fat client available here: http://uk.tp-link.com/download/TL-SG108E_V1.html

configuration

The firmware released in 2014 is still the same in 2017:

configuration2

The port 80 in TCP is opened and used to upgrade the firmware. For any other configuration, ports 29808 and 29809 in UDP are used.

wireshark1

 

 

 

 

Reverse fat client

Using file, binwalk and Java Decompiler, I noticed the exe was just an archive containing the Java source code. As we can see below, the program has been developed with debugging tools inside:

fat1

Because the program has been developed in Java, we can use it using the JRE directly:

fat2

 

Dump login and password from logs

Using the command line adding the option “a” to open all log, we can extract this:

[...]
[null][2017-03-26 14:26:58][DEBUG] Token HEAD: Packet Header:[version:1,opernate code:1,error code:0,sequence number:945,length:40,flag:0,fragment offset:0,token ID:16182,mac address:60-E3-27-83-20-A4] [line -1]
[null][2017-03-26 14:26:58][DEBUG] Send Header:Packet Header:[version:1,opernate code:3,error code:0,sequence number:946,length:56,flag:0,fragment offset:0,token ID:16182,mac address:60-E3-27-83-20-A4] [line -1]
[null][2017-03-26 14:26:58][DEBUG] SEND data:TLV array list [length:2,0:[type:200, length:6, 61646d696e00]1:[type:202, length:6, 61646d696e00]] [line -1]
[null][2017-03-26 14:26:58][DEBUG] RECEIVED HEAD: Packet Header:[version:1,opernate code:4,error code:0,sequence number:946,length:36,flag:0,fragment offset:0,token ID:16182,mac address:60-E3-27-83-20-A4] [line -1]
[null][2017-03-26 14:26:58][DEBUG] RECEIVED TLV: TLV array list [length:0,] [line -1]
[null][2017-03-26 14:26:58][DEBUG] Login successfully. [line -1]
[null][2017-03-26 14:26:58][DEBUG] Done! [line -1]
[...]

As you can easily guess, in the send section, data are sent encoded in hexadecimal: 61646d696e00 → admin

But in any case, a couple of lines later we can see the login and the password in clear text:

[...]
[null][2017-03-26 14:26:59][DEBUG] Switch Info:[Switch type:TL-SG108E 1.0][Switch Mac:60-E3-27-83-20-A4][Switch IP:192.168.42.1][Port Number:8][User name:admin][Password:admin] [line -1]
[null][2017-03-26 14:26:59][DEBUG] transfer: 192.168.42.2 [line -1]
[null][2017-03-26 14:26:59][DEBUG] Open Page <System Info> [line -1]
[null][2017-03-26 14:26:59][DEBUG] Done! [line -1]
[...]

 

Reverse the network communication

I just changed the “device description” of the switch to “chmod750” and dumped the network traffic in the same time. In the debug console, we have another time the login and the password but we also have the new device name in hexadecimal (63686d6f6437353000 → chmod750):

[...]
[Receive.java][2016-05-04 15:03:43][DEBUG] RECEIVED TLV: TLV array list [length:9,0:[type:1, length:10, 544c2d53473130384500]1:[type:2, length:9, 63686d6f6437353000]2:[type:3,length:6, 60e3278320a4]3:[type:7, length:31,312e312e32204275696c642032303134313031372052656c2e353037343900]4:[type:8, length:14,544c2d53473130384520312e3000]5:[type:9, length:1, 00]6:[type:4, length:4, c0a82a01]7:[type:5,length:4, ffffff00]8:[type:6, length:4, 00000000]] [line 67]
[...]

In Wireshark, let’s have a look:

wireshark2

The whole traffic is UDP and ciphered. Data sent:

5d770ae75a3d9016fb8b94c310b27de7422ba2f5d7ceaeed508f23dbc202909a591381c0464e465f27d942b5a4451b4b36054c2a7d4e92145079196c44d4c29b5427fdbdbbe56cb388e5e42a26212fb0ae79135bde12f7c082839f9abc71034916

I just investigate a little bit more the source code and I found a function called RC4. RC4 is a depreciated “ciphering” method:

rc4

With this key, the traffic previously captured has been retrieved:

rc4_2

We can see the login (admin), the password I changed (from admin to root) and the new device name (chmod750). With this knowledge, a little bit of Scapy integrating the key would be perfect if you want to decrypt on the fly.

 

Firmware upgrade

The firmware transfer and upgrade is performed through the port 80 in HTTP. The upgrade is performed through a cgi script called “httpupg.cgi” with a dangerous parameter called “cmd”:

fat3

The HTTP transfer is performed through a POST request without authentication (the red part is the user and the blue part is the switch):

Firm1

Firm2

 

Conclusion

I decided to stop the assessment at this point and to alert TP-LINK support. From my point of view, this switch is pretty interesting for the price and all its network functionalities (I will definitely continue to use it in my lab). It is really interesting to see how the product has been designed and developed. So far, these vulnerabilities have not been patched so use precaution.

 

Advertisement

One thought on “Vulnerability disclosure TP-Link multiples CVEs

  1. Pingback: SB17-121: Vulnerability Summary for the Week of April 24, 2017 – sec.uno

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s