A Denial-of-Service Vulnerability Regarding Firmware Update in TP-Link TL-WR940N V4 Router

# A Denial-of-Service Vulnerability Regarding Firmware Update in TP-Link TL-WR940N V4 Router ## Affected Products: We have tested on TL-WR940N V4 (firmware version: 3.16.9 and earlier). Also, we suspect it may also work on other models with similar firmware versions. ## Overview: An exploitable DoS vulnerability was discovered on the TL-WR940N V4 router. A specially crafted firmware update file can allow an attacker to bypass the firmware verification in the firmware update process and install a broken firmware image, thus resulting in DoS. This vulnerability could be triggered during a user performing a firmware update with a self-uploaded firmware image. During the firmware delivery, the attacker can replace the user-uploaded firmware image with the malicious firmware image and cause the DoS of the device. ## Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The structure of the firmware image is [header, bootloader, header, kernel, rootfs]. It is worth noting that each header contains an MD5 checksum, which is used to verify the data integrity of the firmware. When a firmware image is uploaded, the web server will calculate the image checksums and compare them with the checksum values in the headers. However, the communication during firmware delivery uses the plain HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide customized malicious firmware updates. Specifically, the attack could replace several bytes in the kernel with arbitrary bytes and replace the checksums in the header after calculating the checksums of the modified firmware image. In this way, a customized malicious firmware image is crafted. During the firmware update process, the attacker can replace the user-uploaded firmware with the crafted firmware, which then causes the device not to work anymore. The vulnerability has been successfully exploited in the real-world router device. In our case, we modify the 4 bytes (offset range: 20644h to 20647h) with value 0XADB8A36D to 0X00000000. Then we modify the checksum fields in the firmware header, the firmware headers before and after modification are listed below. ``` wr940nv4_us_3_16_9_up_boot(160617).bin: Filesize : 0x003e0200 / 4063744 Image Vendor : TP-LINK Technologies Image Version : ver. 1.0 Image Size : 0x003e0200 / 4063744 Image Checksum : 8e 78 d5 f3 bf 44 84 51 19 81 48 e2 4d a9 1b 9c (Valid) Product Id : 0x09400004 (Unknown) Product Version : 0x00000001 Firmware Version : 3.16.9 Bootldr Offset : 0x00000000 / 0 Bootldr Length : 0x0000e75b / 59227 Image2 Size : 0x003c0000 / 3932160 Image2 Checksum : b2 82 a4 7a 6c d3 59 47 90 a8 46 9f b6 be 85 3a (Valid) Kernel Offset : 0x00000200 / 512 Kernel Length : 0x000d355d / 865629 Kernel Load Address: 0x80002000 Kernel Entry Point : 0x801cea10 Kernel Checksum : e9 09 91 a1 b3 aa 6f 70 88 63 93 44 b3 7e da 70 (Not Verified) Rootfs Offset : 0x00100000 / 1048576 Rootfs Length : 0x002c0000 / 2883584 ``` ``` wr940nv4_us_3_16_9_up_boot(160617)_new.bin Filesize : 0x003e0200 / 4063744 Image Vendor : TP-LINK Technologies Image Version : ver. 1.0 Image Size : 0x003e0200 / 4063744 Image Checksum : 65 a6 fa 9f b5 a3 d1 2c 28 fd b5 03 ed 7a 0d 67 (Valid) Product Id : 0x09400004 (Unknown) Product Version : 0x00000001 Firmware Version : 3.16.9 Bootldr Offset : 0x00000000 / 0 Bootldr Length : 0x0000e75b / 59227 Image2 Size : 0x003c0000 / 3932160 Image2 Checksum : 25 f3 bc d6 98 86 48 95 0a 17 0d 4f e7 84 2f 49 (Valid) Kernel Offset : 0x00000200 / 512 Kernel Length : 0x000d355d / 865629 Kernel Load Address: 0x80002000 Kernel Entry Point : 0x801cea10 Kernel Checksum : e9 09 91 a1 b3 aa 6f 70 88 63 93 44 b3 7e da 70 (Not Verified) Rootfs Offset : 0x00100000 / 1048576 Rootfs Length : 0x002c0000 / 2883584 ``` After replacing the original firmware image with the crafted firmware image during the firmware update procedure, the firmware verification is passed and then the device does not work anymore since the corrupted image is uploaded. ## Disclosure to the Vendor: The vulnerability has been confirmed by TP-Link and we received the acknowledgment from the vendor.