VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 13, 2018· Updated Sep 16, 2024

CVE-2018-17014

CVE-2018-17014

Description

An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for ip_mac_bind name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can crash TP-Link TL-WR886N services by sending a long JSON ip_mac_bind name.

Vulnerability

A buffer overflow vulnerability exists in the ipMacBind module of TP-Link TL-WR886N firmware versions 6.0 2.3.4 and 7.0 1.1.0. The module parses JSON data for ip_mac_bind name parameters without proper length validation. Sending a request with an extremely long value in the name key causes the module to overflow its buffer, corrupting the config file and potentially crashing the inetd task [1].

Exploitation

An attacker must be authenticated to the router's web interface. Using a crafted HTTP POST request to the login endpoint with a long JSON string in the ip_mac_bind name field, the attacker can trigger the overflow. The provided proof-of-concept demonstrates how to obtain a session token and then send the malicious payload [1]. The attack can be carried out remotely as long as the attacker has valid credentials.

Impact

Successful exploitation crashes the inetd daemon, which stops critical network services such as HTTP (web interface), DNS, and UPnP. This results in a denial of service condition for all router functions relying on these services, effectively rendering the device unusable until a reboot [1]. No privilege escalation or data leakage is achieved; the impact is limited to availability.

Mitigation

As of the publication date (2018-09-13), no firmware update was available from TP-Link to address this vulnerability. Users are advised to restrict access to the router administration interface and monitor for firmware updates from the vendor. The vulnerable device models may be considered end-of-life (EOL), so replacement with a supported model is recommended.

References
  1. VulInfo/TP-Link/WR886N/inetd_task_dos_10/README.md at master · PAGalaxyLab/VulInfo

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input length validation on the ip_mac_bind.name JSON field allows a buffer overflow when writing configuration data."

Attack vector

An authenticated attacker sends an HTTP POST request to the router's ipMacBind endpoint with an excessively long value in the `ip_mac_bind.name` JSON key. The advisory shows a payload of 1.5 MB of 'A' characters assigned to this field [ref_id=1]. The long string overflows the ipMacBind module's config file, and if the string is long enough it crashes the inetd task, which in turn stops HTTP, DNS, and UPnP services [ref_id=1]. The attacker must already possess valid credentials to authenticate to the router's web interface.

Affected code

The vulnerability resides in the ipMacBind module of the TP-Link TL-WR886N firmware (version 1.1.0 for hardware v7.0). The module processes JSON data from authenticated HTTP POST requests and saves configuration data to a file. No patch or source code diff is provided in the advisory.

What the fix does

No patch is provided in the advisory. The researcher's report does not include a vendor fix or commit diff. The recommended remediation would be for TP-Link to add input length validation on the `ip_mac_bind.name` field before writing it to the configuration file, preventing the buffer overflow that crashes the inetd task.

Preconditions

  • authAttacker must have valid credentials to authenticate to the router's web interface
  • networkAttacker must be able to send HTTP POST requests to the router on the local network
  • configThe ipMacBind module must be accessible (default configuration)
  • inputAttacker sends a JSON payload with a long string (e.g., 1.5 MB of 'A's) in the ip_mac_bind.name field

Reproduction

The advisory includes a full Python PoC script [ref_id=1]. The script authenticates to the router at 192.168.1.1 using the default password 'password', obtains a stok token, then sends a POST request to `/stok=

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.