CVE-2018-17016
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for reboot_timer name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TP-Link TL-WR886N routers crash services via long JSON in reboot_timer, enabling authenticated DoS.
Vulnerability
TP-Link TL-WR886N firmware versions 2.3.4 (6.0) and 1.1.0 (7.0) contain a buffer overflow in the reboot_timer module. An authenticated attacker can send a specially crafted HTTP POST request with an overly long JSON key value, corrupting the config file and crashing the inetd task, which stops services like HTTP, DNS, and UPnP [1].
Exploitation
The attacker must be authenticated to the router's web interface. Using an HTTP POST request to the reboot_timer endpoint, they supply a JSON payload with an excessively long string in the reboot_timer name parameter. This triggers a buffer overflow in the memory handling of the module, leading to a crash of the inetd process [1].
Impact
Successful exploitation results in a denial-of-service (DoS) condition. The inetd task crashes, disabling critical network services including HTTP (web management), DNS (domain name resolution), and UPnP (device discovery). The device becomes unresponsive to network management and certain network functions until reboot. There is no evidence of code execution or data leakage [1].
Mitigation
As of the publication date (2018-09-13), no firmware update has been released to address the issue. Users should restrict access to the router's management interface to trusted networks and monitor for long JSON payloads. The vendor TP-Link was notified but no official fix is known at the time of writing [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the reboot_timer name field allows a buffer overflow when the value is written to a config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's web interface with a crafted JSON payload for the reboot_timer module. The "name" key inside the reboot_timer object is set to a very long string (approximately 1.5 MB of 'A' characters) [ref_id=1]. This long value overflows the buffer when the reboot_timer module saves data to the config file, which can crash the inetd task and consequently stop network services such as HTTP, DNS, and UPnP [ref_id=1]. The attacker must first authenticate to the router to obtain a valid stok token, which the provided PoC accomplishes via the login endpoint [ref_id=1].
Affected code
The advisory [ref_id=1] identifies the reboot_timer module as the vulnerable component. The module processes HTTP POST requests containing a JSON object with a "name" key, and saves the data to a config file without proper length validation. No specific function names or file paths are provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance or a vendor fix. To close this vulnerability, the vendor would need to implement input length validation on the reboot_timer name field before writing it to the config file, ensuring the value does not exceed the allocated buffer size.
Preconditions
- authAttacker must be authenticated to the router's web interface (obtain a valid stok token).
- networkAttacker must have network access to the router's HTTP management interface (typically at 192.168.1.1).
- inputAttacker sends a crafted JSON payload with an excessively long 'name' value in the reboot_timer object.
Reproduction
1. Authenticate to the router at http://192.168.1.1/ by sending a login request with the password encoded using the `security_encode` function, and extract the `stok` token from the response. 2. Construct a POST request to `http://192.168.1.1/stok=<stok>/ds` with JSON body containing `{"reboot_timer": {"name": "<long string>", "table": "reboot_timer_rule", "para": {...}, "method": "add"}}` where `<long string>` is approximately 1.5 MB of 'A' characters. 3. Send the request; the router services (inetd, HTTP, DNS, UPnP) will crash [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.