# Use CVE-2023-24362
# Vulnerability Disclosure
Affected product(s): \
TL-WR702N - Version: TL-WR702N_V1_151021_US \
TL-WR720N - Version: TL-WR720N_V1_130719
Buffer Overflow DOS:
Pinging functionality in the diagnostics tool
To exploit the vulnerability one must be authenticated on the web panel of the router. Then sending a maliciously crafted request, with the packet size parameter changed in an intercept tool to a large value.
The webpanel of the router has a diagnostics tool. The diagnostics tool only has size checks in the frontend. This means we can send crafted requests, with no size checks. Specifically changing the pSize parameter to a large value will lead to a full DOS of the router
Buffer Overflow RCE:
The web panel of the router
Sending a crafted request, a malicious actor can get remote code execution on the router. This requires log-in through the web panel.
Sending a crafted HTTP request to the endpoint /userRpm/WlanNetworkRpm with the parameter newBridgessid, one can cause a buffer overflow, which can lead to remote code execution
# This repository
In /pocs, the proof of concepts will be found. \
In /dump-over-uart, the script used to dump the firmware over uart will be found. \
In /firmware, the analyzed firmware will be found. \
In /binary_ninja, general ease of life scripts will be found. \
In /manuals, the primary manuals used for this research is located.