Advisory Details

February 24th, 2021

TP-Link AC1750 sync-server Stack-based Buffer Overflow Remote Code Execution Vulnerability

ZDI-21-215
ZDI-CAN-12306

CVE ID CVE-2021-27246
CVSS SCORE 8.0, (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
AFFECTED VENDORS TP-Link
AFFECTED PRODUCTS AC1750
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of MAC addresses by the tdpServer endpoint. A crafted TCP message can write stack pointers to the stack. An attacker can leverage this vulnerability to execute code in the context of the root user.

ADDITIONAL DETAILS

Fixed in V5


DISCLOSURE TIMELINE
  • 2020-11-06 - Vulnerability reported to vendor
  • 2021-02-24 - Coordinated public release of advisory
  • 2021-03-19 - Advisory Updated
CREDIT @0xMitsurugi (Synacktiv), @swapgs (Synacktiv)
BACK TO ADVISORIES