A safety researcher, exploring reverse engineering and exploit improvement, has efficiently recognized a crucial vulnerability within the TP-Hyperlink TL-WR940N router, particularly affecting {hardware} variations 3 and 4 with all firmware as much as the newest model.
This vulnerability, which has been documented as CVE-2024-54887, permits for potential arbitrary distant code execution (RCE) via stack buffer overflow exploitation.
The researcher utilized strategies reminiscent of static and dynamic evaluation, shellcode improvement for MIPS Linux, and Return Oriented Programming (ROP) to reveal the exploit’s viability.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Attempt for Free
Vulnerability Evaluation
The researcher started by emulating the router’s firmware utilizing Firmadyne, facilitating an intensive inspection of its performance.
Throughout static evaluation with instruments like Ghidra, it was revealed that key safety measures, reminiscent of Non-Executable (NX) and Place Impartial Executables (PIE), had been absent.
The evaluation recognized unbounded calls to strcpy() within the code answerable for processing DNS server settings, particularly the dnsserver1 and dnsserver2 parameters.
This flaw poses a threat for a stack buffer overflow, permitting an attacker to overwrite adjoining reminiscence areas and management the machine’s execution circulation.
Exploit Improvement
Utilizing the recognized vulnerability, the researcher crafted an exploit leveraging ROP strategies appropriate for MIPS structure.
The event concerned making a sequence of devices to facilitate managed execution of shellcode.
Preliminary testing confirmed the flexibility to overwrite crucial registers and inject malicious payloads to execute instructions on the router.
The ultimate exploit was encapsulated in a Python script able to authenticating to the router and executing shellcode to determine a bind shell.
Publish-exploitation testing was carried out, confirming the exploit’s effectiveness in triggering a bind shell on port 4444 from the compromised machine.
The researcher communicated the findings to TP-Hyperlink, which acknowledged the difficulty and clarified that the affected {hardware} variations had reached their end-of-life standing, leading to no additional safety updates.
As of January 9, 2025, the vulnerability is formally documented with the assigned CVE quantity, marking a major contribution to the sphere of IoT safety analysis.
This discovery underscores the significance of continuous safety assessments for embedded programs, particularly those who stay in lively use regardless of the cessation of official assist.
Integrating Software Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar