CVE-2019-6989
published 2019-06-06CVE-2019-6989: TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially…
PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.58%
95.5th percentile
TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x27\xE0\xFF\xFF (MIPS NOP sled: addiu $zero,$zero,-1)
- →Buffer overflow is triggered via a GET request to /userRpm/PingIframeRpm.htm with an oversized ping_addr parameter (160+ bytes of padding followed by ROP chain and shellcode) sent to the router's web management interface on port 80. ↗
- →The exploit authenticates using a Base64-encoded Authorization cookie derived from admin:md5(admin); detect login attempts to /userRpm/LoginRpm.htm?Save=Save followed immediately by a request to /userRpm/PingIframeRpm.htm with a very long ping_addr value. ↗
- →The payload begins with 160 bytes of 'A' characters before the ROP chain; a ping_addr parameter value exceeding 160 bytes in a request to PingIframeRpm.htm is a strong indicator of exploitation. ↗
- →The MIPS reverse-shell shellcode connects back to an attacker-controlled IP on port 0x1f90 (8080 decimal); monitor for unexpected outbound TCP connections from the router on port 8080. ↗
- →The shellcode executes /bin/sh via execve syscall (li v0,4011 / syscall 0x40404) after dup2-ing the socket fd; look for unexpected /bin/sh processes spawned by the router's web server process. ↗
- →The vulnerable function is ipAddrDispose; static analysis or firmware diffing should focus on bounds checking around this function's handling of ICMP/ping address input. ↗
- ·The exploit hardcodes the router's default gateway IP (192.168.0.1) and default credentials (admin/admin); the libc base address and ROP gadget offsets are specific to the firmware version of TL-WR940N/TL-WR941ND and will differ across firmware releases. ↗
- ·The shellcode embeds a hardcoded big-endian attacker callback IP (0xc0a80164 = 192.168.1.100) and port 8080; these must be changed per engagement and are not universal indicators. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2019-06-06
Published