Heap-based buffer overflow
Remote Code execution
TP-Link
- Archer AX21(US)_V3_1.1.4 Build 20230219
- Archer AX21(US)_V3.6_1.1.4 Build 20230219
/usr/lib/libtmpv2.so
In the picture below, variable content_length
is used to indicate the length of content of TMP packet and it can be controlled by an attacker. Then, the process will receive another content_length
bytes into buffer v7
, but the size of v7
is smaller than the maximun value of content_length
which can lead to buffer overflow.
- Archer AX21(US)_V3.6_230621
- Archer AX21(US)_V3_230621
Since this vulnerability can lead to remote code execution on LAN side, please update the firmware as soon as possible.
https://www.tp-link.com/us/support/download/archer-ax21/#Firmware
Reported by Xiaobye, working with DEVCORE Internship Program