CVE-2018-17005
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for firewall dmz enable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TP-Link TL-WR886N routers allow authenticated attackers to crash network services via a long JSON value in the firewall DMZ enable request.
Vulnerability
An issue exists in the firewall DMZ configuration functionality of TP-Link TL-WR886N firmware versions 6.0 2.3.4 and 7.0 1.1.0. When an authenticated user sends an HTTP POST request to enable the DMZ host with an abnormally long value in a specific JSON key, the router's config file becomes corrupted. If the string is sufficiently long, this corruption overflows and crashes the inetd task, which leads to a denial of service (DoS) condition affecting multiple network services including HTTP, DNS, and UPnP [1].
Exploitation
An attacker must already possess authenticated access to the router's web interface. The exploit is performed by sending a crafted HTTP POST request to the vulnerable endpoint with an excessively long value in the JSON payload. The attacker does not require any special network position beyond being able to reach the router's management interface. The provided proof-of-concept code shows how to obtain a session token and then send the malicious request [1].
Impact
Successful exploitation crashes the inetd daemon, which stops critical network services such as the HTTP server, DNS resolver, and UPnP daemon. This results in a complete denial of service for the router's management interface and local network services until the device is rebooted. No privilege escalation or data compromise is achieved, but the DoS can disrupt network operations [1].
Mitigation
As of the publication date, no official firmware patch from TP-Link has been disclosed in the available references. Users should ensure the device is not accessible from the internet, restrict management access to trusted local hosts only, and monitor TP-Link's support site for security updates. If possible, consider replacing the device if it is end-of-life or unsupported [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the JSON "enable" field in the firewall DMZ configuration handler allows a buffer overflow when writing to the config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's JSON API endpoint (e.g., `http://192.168.1.1/stok=%s/ds`) with a crafted JSON payload containing an extremely long string value for the `firewall.dmz.enable` field [ref_id=1]. The PoC uses a string of approximately 1.5 MB of repeated 'A' characters [ref_id=1]. When the firewall module attempts to store this oversized value to the config file, it overflows and corrupts the config file; if the string is long enough, it crashes the `inetd` task, which in turn stops HTTP, DNS, and UPnP services [ref_id=1].
Affected code
The vulnerability resides in the firewall module's DMZ configuration handler on TP-Link TL-WR886N devices (firmware version 1.1.0, hardware version 7.0) [ref_id=1]. When the router stores DMZ settings to a config file after receiving a JSON POST request, it does not properly validate the length of the value supplied for the "enable" key [ref_id=1].
What the fix does
No patch is provided in the advisory [ref_id=1]. The researcher's report does not include a vendor fix or commit. To remediate this issue, TP-Link would need to implement input length validation on the JSON key values processed by the firewall module, ensuring that the DMZ "enable" field (and similar fields) cannot accept strings large enough to overflow the config file buffer or crash the `inetd` task [ref_id=1].
Preconditions
- authAttacker must be authenticated to the router's web interface
- networkAttacker must have network access to the router's HTTP management interface (typically LAN-side on 192.168.1.1)
- inputAttacker sends a crafted JSON payload with an oversized value for the firewall.dmz.enable field
Reproduction
1. Authenticate to the router at `http://192.168.1.1/` using the provided `get_token()` function to obtain a `stok` token [ref_id=1]. 2. Send a POST request to `http://192.168.1.1/stok=%s/ds` (with the obtained token) with JSON body `{"firewall":{"dmz":{"dest_ip":"192.168.1.101","enable":"<1.5MB of 'A' characters>"}},"method":"set"}` [ref_id=1]. 3. The router's `inetd` task crashes, causing HTTP, DNS, and UPnP services to become unavailable [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.