CVE-2018-17017
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for dhcpd udhcpd enable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash multiple router services (inetd, HTTP, DNS, UPnP) on TP-Link TL-WR886N via a long JSON value in the dhcpd configuration.
Vulnerability
The vulnerability resides in the DHCP daemon (dhcpd) of TP-Link TL-WR886N devices, specifically in firmware versions 2.3.4 for hardware version 6.0 and 1.1.0 for hardware version 7.0 [1]. By sending an HTTP POST request with an excessively long value in a specific JSON key used for DHCP configuration, an attacker can cause a buffer overflow that corrupts the dhcpd configuration file, leading to a crash of the inetd task and subsequently affecting HTTP, DNS, and UPnP services [1].
Exploitation
An attacker must be authenticated to the router's web interface [1]. The attacker crafts a POST request to the DHCP configuration endpoint with a JSON payload containing a very long string for the relevant key. This triggers the overflow when the router processes the data and writes it to the configuration file [1]. The proof-of-concept code demonstrates the authentication process and the ability to send arbitrary JSON, though the specific exploit payload is not fully detailed [1]. No additional privileges or network position beyond authenticated access are required.
Impact
Successful exploitation crashes the inetd task, which stops several critical network services, including the web server (HTTP), DNS resolver, and UPnP daemon [1]. This results in a denial-of-service (DoS) condition, effectively rendering the router's management interface and some network functions unavailable until a reboot [1]. No code execution or data exfiltration is reported.
Mitigation
As of the publication date (2018-09-13), no official firmware update addressing this vulnerability has been released by TP-Link [1]. The affected models (TL-WR886N v6.0 and v7.0) may be nearing or at end-of-life, and no workaround is documented [1]. Users should consider upgrading to a supported router model if continued security is required.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the dhcpd module allows an oversized JSON string value to overflow a config file buffer."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's web interface with a JSON payload containing an extremely long string value (e.g., ~1 MB of 'A' characters) for the `dhcpd.udhcpd.enable` key [ref_id=1]. The attacker must first authenticate by obtaining a valid `stok` token via the login endpoint [ref_id=1]. When the router processes this oversized value, it overflows the dhcpd module's config file buffer, which in turn crashes the inetd task and stops network services including HTTP, DNS, and UPnP [ref_id=1].
Affected code
The vulnerability resides in the router's dhcpd module, specifically in the handling of JSON parameters for udhcpd configuration. The researcher notes that "dhcpd module will save data to config file" and that a "long value in specific json key" causes an overflow that corrupts the config file and crashes the inetd task [ref_id=1]. The affected firmware is TP-Link TL-WR886N 7.0 version 1.1.0 [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include any vendor fix or remediation guidance [ref_id=1]. To close this vulnerability, the vendor would need to implement input length validation on all JSON string fields processed by the dhcpd module, ensuring that values written to the config file do not exceed the allocated buffer size.
Preconditions
- authAttacker must have valid credentials to authenticate to the router's web interface
- networkAttacker must be able to reach the router's HTTP management interface on the local network
- inputAttacker sends a crafted JSON payload with an oversized string value for a dhcpd parameter
Reproduction
The researcher provides a full Python PoC script [ref_id=1]. The script authenticates to `http://192.168.1.1/` using the default password, obtains a `stok` token, then sends a POST request to `/stok=%s/ds` with a JSON body where `dhcpd.udhcpd.enable` is set to a string of approximately 1 MB of 'A' characters (`buff_count = int(1.0 * 1024 * 1204)`). The researcher notes that other fields (auto, lease_time, pool_start, pool_end, gateway, pri_dns, snd_dns) can also be used as crash points [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.