cbcvebase.
CVE-2019-6989
published 2019-06-06

CVE-2019-6989: TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially…

PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.58%
95.5th percentile
TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.0.1/userRpm/LoginRpm.htm?Save=Save
urlhttp://192.168.0.1/{directory}/userRpm/DiagnosticRpm.htm
path/userRpm/PingIframeRpm.htm
cookieAuthorization=Basic%20<base64(admin:md5(admin))>
commandping_addr=<payload>&doType=ping&isNew=new&sendNum=4&psize=64&overTime=800&trHops=20
bytes
\x27\xE0\xFF\xFF (MIPS NOP sled: addiu $zero,$zero,-1)
  • Buffer overflow is triggered via a GET request to /userRpm/PingIframeRpm.htm with an oversized ping_addr parameter (160+ bytes of padding followed by ROP chain and shellcode) sent to the router's web management interface on port 80.
  • The exploit authenticates using a Base64-encoded Authorization cookie derived from admin:md5(admin); detect login attempts to /userRpm/LoginRpm.htm?Save=Save followed immediately by a request to /userRpm/PingIframeRpm.htm with a very long ping_addr value.
  • The payload begins with 160 bytes of 'A' characters before the ROP chain; a ping_addr parameter value exceeding 160 bytes in a request to PingIframeRpm.htm is a strong indicator of exploitation.
  • The MIPS reverse-shell shellcode connects back to an attacker-controlled IP on port 0x1f90 (8080 decimal); monitor for unexpected outbound TCP connections from the router on port 8080.
  • The shellcode executes /bin/sh via execve syscall (li v0,4011 / syscall 0x40404) after dup2-ing the socket fd; look for unexpected /bin/sh processes spawned by the router's web server process.
  • The vulnerable function is ipAddrDispose; static analysis or firmware diffing should focus on bounds checking around this function's handling of ICMP/ping address input.
  • ·The exploit hardcodes the router's default gateway IP (192.168.0.1) and default credentials (admin/admin); the libc base address and ROP gadget offsets are specific to the firmware version of TL-WR940N/TL-WR941ND and will differ across firmware releases.
  • ·The shellcode embeds a hardcoded big-endian attacker callback IP (0xc0a80164 = 192.168.1.100) and port 8080; these must be changed per engagement and are not universal indicators.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.