A Firmware Downgrade Vulnerability During Firmware Update in TP-Link TL-WR1043ND V1 Wireless Router

# A Firmware Downgrade Vulnerability During Firmware Update in TP-Link TL-WR1043ND V1 Wireless Router ## Affected Products: We have tested on the TL-WR1043ND V1 (Firmware Version: 3.13.15 and earlier) device. Also, we suspect it may also work on other models of TL-WR1043ND series devices. ## Overview: An exploitable firmware downgrade vulnerability was discovered on the TP-Link TL-WR1043ND V1 wireless router. The firmware version and checksum verifications during firmware update procedures can be bypassed. Therefore, an attacker can install an older version of the firmware image, resulting in a firmware downgrade attack. This vulnerability can be exploited by replacing the user-uploaded firmware image with a modified older version of the firmware image during firmware delivery. After that, the vulnerabilities in the older version of the firmware image can be introduced. ## Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The firmware update web interface is shown below. ![](https://i.imgur.com/yG3uTcN.png) *Fig. 1. The web interface for firmware update.* The structure of the firmware image is [header, bootloader, header, kernel, rootfs]. It is worth noting that each header contains an MD5 checksum, which is used to verify the data integrity of the firmware. When a firmware image is uploaded, the web server will calculate the **MD5 checksum** of the image and compare them with the checksum values in the headers. Also, the **firmware version** is checked to ensure the correct version of the firmware image is installing. The decompiled function that is used to verify the firmware image is shown below. ``` undefined4 upgradeFirmware(int param_1,int param_2) { ... if (param_2 - 0x30000U < 0x7d0001) { iVar8 = check_filesize(param_2); if (iVar8 != 0) { iVar8 = isSysUpgradeNeedChecksum(); if (iVar8 != 0) { local_30 = *(undefined4 *)(param_1 + 0x4c); local_2c = *(undefined4 *)(param_1 + 0x50); local_28 = *(undefined4 *)(param_1 + 0x54); local_24 = *(undefined4 *)(param_1 + 0x58); pcVar11 = getMd5Key; if (*(int *)(param_1 + 0x94) != 0) { pcVar11 = getMd5Key_bootloader; } ... iVar8 = md5_verify_digest(&local_30,param_1,param_2); if (iVar8 == 0) { printf("image md5 checksum is not correct!\n\r"); *(undefined4 *)(param_1 + 0x58) = local_24; *(undefined4 *)(param_1 + 0x4c) = local_30; *(undefined4 *)(param_1 + 0x50) = local_2c; *(undefined4 *)(param_1 + 0x54) = local_28; return 0x4655; } *(undefined4 *)(param_1 + 0x50) = local_2c; *(undefined4 *)(param_1 + 0x4c) = local_30; *(undefined4 *)(param_1 + 0x54) = local_28; *(undefined4 *)(param_1 + 0x58) = local_24; } if (((DAT_100026a0 != 0) && (iVar8 = isFreeUpdate(), iVar8 == 0)) && ((iVar8 = getProductId(), *(int *)(param_1 + 0x40) != iVar8 || (iVar8 = getProductVer(), *(int *)(param_1 + 0x44) != iVar8)))) { printf("Firmware version check failed"); return 0x4655; } ... } ``` However, the firmware delivery uses the plain HTTP protocol, which does not provide any cryptographic protection for the uploaded contents. Also, there is no signature verification for the updated firmware image. Therefore, an attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide malicious firmware updates. Specifically, the attacker could modify the firmware version field of the older version of the firmware image to a newer version. Then, the MD5 checksum field in the firmware header is updated after re-calculating the MD5 checksum of the modified firmware image. In this way, a malicious older version of the firmware image is crafted. During the firmware update process, the attacker can replace the user-uploaded firmware with the crafted firmware, which then causes the device to install the older firmware, and vulnerabilities in the older firmware are then introduced. The vulnerability has been successfully exploited by creating a proof-of-concept. In our case, we modify the firmware version fields in the two firmware headers (offset range: 0x98 to 0x9D and 0x20298 to 0x2029D) from 0x0003000D000F (indicating firmware version 3.13.15) to 0x0003000E000F (indicating firmware version 3.14.15). Then we modify the checksum fields in the firmware headers, the firmware headers before and after modification are listed below. *The original firmware header information:* ``` Filename : wr1043nv1_en_3_13_15_up_boot(140319).bin Filesize : 0x007e0200 / 8258048 Image Vendor : TP-LINK Technologies Image Version : ver. 1.0 Image Size : 0x007e0200 / 8258048 Image Checksum : f2 d8 8b 15 bd 4e 0a d0 03 0c ff ac 8f fc d9 6c (Valid) Product Id : 0x10430001 (TL-WR1043NDv1) Product Version : 0x00000001 Firmware Version : 3.13.15 Bootldr Offset : 0x00000000 / 0 Bootldr Length : 0x0001c310 / 115472 Image2 Size : 0x007c0000 / 8126464 Image2 Checksum : de 8f 7f da 04 be bc 17 ea 21 8a 99 a7 52 88 73 (Valid) Kernel Offset : 0x00000200 / 512 Kernel Length : 0x000ca63a / 828986 Kernel Load Address: 0x80002000 Kernel Entry Point : 0x801ae000 Kernel Checksum : 0c d5 5a 2a 74 06 73 3d 0a 60 03 1e bd 49 bc a1 (Not Verified) Rootfs Offset : 0x00100000 / 1048576 Rootfs Length : 0x006c0000 / 7077888 ``` *The modified firmware header information:* ``` Filename : wr1043nv1_en_3_13_15_up_boot(140319).bin Filesize : 0x007e0200 / 8258048 Image Vendor : TP-LINK Technologies Image Version : ver. 1.0 Image Size : 0x007e0200 / 8258048 Image Checksum : d4 66 4c 07 b5 69 cb aa ed de 1e 94 2e 7b 19 6e (Valid) Product Id : 0x10430001 (TL-WR1043NDv1) Product Version : 0x00000001 Firmware Version : 3.14.15 Bootldr Offset : 0x00000000 / 0 Bootldr Length : 0x0001c310 / 115472 Image2 Size : 0x007c0000 / 8126464 Image2 Checksum : f8 66 f5 3b 00 6c 69 8a 8f 69 9b f4 53 db 1b a6 (Valid) Kernel Offset : 0x00000200 / 512 Kernel Length : 0x000ca63a / 828986 Kernel Load Address: 0x80002000 Kernel Entry Point : 0x801ae000 Kernel Checksum : 0c d5 5a 2a 74 06 73 3d 0a 60 03 1e bd 49 bc a1 (Not Verified) Rootfs Offset : 0x00100000 / 1048576 Rootfs Length : 0x006c0000 / 7077888 ``` After replacing the original firmware image with the crafted firmware image during the firmware update procedure, the firmware verifications are bypassed and then the malicious older firmware is flashed into the device. Until now, the firmware downgrade attack is launched successfully.