so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability

Zenith is an exploit I wrote to compromise the TP-Link AC1750 Smart Wi-Fi Router which was part of the Routers / LAN category in the Pwn2Own Austin 2021 contest.

It exploits an integer overflow that results in a heap-buffer overflow in a kmalloc-128 slab cache in the NetUSB driver which is authored by the KCodes company. The driver listens on the br-lan interface on TCP port 20005 and parses attacker controlled data. It has been tested against the Archer C7(US)_V5_210519 firmware that was published on August 20 2021 (you can find the NetUSB.ko in TP-Link’s firmware images). TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability

February 26, 2022
#hardware#vulnerability