# Use CVE-2023-24362

# Vulnerability Disclosure

Affected product(s): \
TL-WR702N - Version: TL-WR702N_V1_151021_US \
TL-WR720N - Version: TL-WR720N_V1_130719

Buffer Overflow DOS:
Pinging functionality in the diagnostics tool

To exploit the vulnerability one must be authenticated on the web panel of the router. Then sending a maliciously crafted request, with the packet size parameter changed in an intercept tool to a large value.

The webpanel of the router has a diagnostics tool. The diagnostics tool only has size checks in the frontend. This means we can send crafted requests, with no size checks. Specifically changing the pSize parameter to a large value will lead to a full DOS of the router

Buffer Overflow RCE:
The web panel of the router

Sending a crafted request, a malicious actor can get remote code execution on the router. This requires log-in through the web panel.

Sending a crafted HTTP request to the endpoint /userRpm/WlanNetworkRpm with the parameter newBridgessid, one can cause a buffer overflow, which can lead to remote code execution

# This repository
In /pocs, the proof of concepts will be found. \
In /dump-over-uart, the script used to dump the firmware over uart will be found. \
In /firmware, the analyzed firmware will be found. \
In /binary_ninja, general ease of life scripts will be found. \
In /manuals, the primary manuals used for this research is located.