CVE-2024-48712

Vulnerability

In TP-Link TL-WDR7660 firmware version 1.0, the rtRuleJsonToBin function in the web management interface fails to validate the length of the name parameter. This allows an attacker to overflow the stack by providing an excessively long string. The vulnerability is reachable through the reboot_timer configuration endpoint.

Exploitation

An attacker must have network access to the device's web interface and a valid session cookie. By sending a crafted POST request to /stok=.../ds with a JSON payload containing a name field of 0x100000 bytes (over 1 million characters), the rtRuleJsonToBin function copies the unchecked string to a fixed-size stack buffer, causing a stack overflow. The exploit code shown in the reference [1] demonstrates this.

Impact

Successful exploitation causes the device to crash, resulting in denial of service. After the overflow, the automatic cleaning function fails, and reboot timer rules disappear. The system becomes unresponsive until a manual reboot. No code execution is claimed in the reference, but stack overflows can potentially be leveraged for arbitrary code execution.

Mitigation

As of the publication date, TP-Link has not released a firmware update to address this vulnerability. No workarounds are documented. Users may consider restricting network access to the web interface or upgrading to a different device if available.