ID

VAR-201812-0908

CVE

CVE-2018-19241

TITLE

TRENDnet TV-IP110WN and TV-IP121WN Device buffer error vulnerability

DESCRIPTION

Buffer overflow in video.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload (without authentication). TRENDnet TV-IP110WN and TV-IP121WN The device contains a buffer error vulnerability.Information may be tampered with. TRENDnetTV-IP110WN is a wireless internet surveillance camera. The TRENDnetTV-IP121WN is a network camera solution for surveillance. There are BoF vulnerabilities in TRENDnetTV-IP110WN and TV-IP121WN. An attacker could use a POST request to deliver its payload to trigger a BoF vulnerability in the \"url\" parameter without authentication. ########################################### Vulnerabilities found in TRENDnet devices Authors:Prashast Srivastava, Mathias Payer Howard Shrobe, Hamed Okhravi Author contact: https://github.com/prashast/ ########################################### Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices: Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP IP-Cameras: TV-IP110WN, TV-IP121WN These were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. A more detailed breakdown is presented below on a per vulnerability basis:- Command Injection ------------------ CVE-ID: CVE-2018-19239 Product: TEW-673GRU Module affected: `start_arpping` function in `timer` binary Firmware version: v1.00b40 TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vulnerability in the `start_arpping` function of the `timer binary`, which allows remote attackers to execute arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and lan_ipaddr) passed to the apply.cgi binary through a POST request. Exploiting the vulnerability requires a user to be authenticated with the router with administrative credentials. The `start_arpping` function reads the following values from the NVRAM namely: dhcpd_start, dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then passed to the `arpping` utility without any sort of sanity checks. Out of these values, the outward facing configuration webserver(httpd) running at `IP:192.168.10.1 Port: 80` allows a user to modify the first three values `dhcpd_start`, `dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration webpage available at `http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi` binary with the appropriate parameters. We have observed that the by directly making a POST request to the `apply.cgi` binary with the values of the above mentioned three parameters containing Command Injection based payloads, it is possible to execute arbitrary commands on the router with root privileges. A sub-routine respondAsp is called that copies a user-controlled parameter into a stack variable using strcpy without any bounds check. Reflective XSS --------------- Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) - TEW-634GRU (v1.01B14) Module affected: `login.cgi` `Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a reflected XSS vulnerability that does not require any authentication. Vendor Disclosure ------------------ The vulnerabilities had been notified to the vendor 12/03. The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Mathias Payer, Hamed Okhravi, Prashast Srivastava, Howard Shrobe

SOURCES

LAST UPDATE DATE

2024-11-23T21:37:54.188000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE