Advisory Details

March 25th, 2020

(Pwn2Own) TP-Link Archer A7 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability

ZDI-20-333
ZDI-CAN-9660

CVE ID CVE-2020-10881
CVSS SCORE 9.8, (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS TP-Link
AFFECTED PRODUCTS Archer A7
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of DNS responses. A crafted DNS message can trigger an overflow of a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the root user.

ADDITIONAL DETAILS

Fixed in version A7(US)_V5_200220


DISCLOSURE TIMELINE
  • 2019-11-15 - Vulnerability reported to vendor
  • 2020-03-25 - Coordinated public release of advisory
CREDIT Pedro Ribeiro and Radek Domanski of Team Flashback
BACK TO ADVISORIES