the hyperbolic

In the last post of the Hacking the TL-WPA4220 series, we are going to investigate a stack-based buffer overflow in the TL-WPA4220 (CVE-2020-28005), and try (though unsuccessfully) to exploit it to achieve remote code execution (RCE) on the device. With this, we will finish the Hacking the TL-WPA4220 series.

In the third post of the Hacking the TL-WPA4220 series, we are not going to deal with vulnerabilities of any kind. Instead, we will focus on understanding how the browser communicates with our device’s HTTP server. Then we will be ready to exploit the command injection vulnerabilities we found in the previous post.

In the first blog post of this series, we took a look at a previously disclosed vulnerability in the TL-WA850RE, analyzed the httpd binary, and understood how this vulnerability could be exploited. In this post, we are going to see how we can use this knowledge to find similar (unreported) vulnerabilities for the HTTP server of the TL-WPA4220 Powerline WiFi extender (CVE-2020-24297).

This is the first part of a series of 4 blog posts on the process I followed to discover two command injection vulnerabilities and a buffer overflow in TP-Link’s TL-WPA4220, a Powerline adapter and WiFi extender. In this post, however, we are not going to talk about the TL-WPA4220 at all, but we will be looking at a vulnerability affecting version 5 of the TL-WA850RE WiFi Range extender that was published a couple of years ago.

In this post, I’m going to describe some vulnerabilities that I found a while ago, affecting the HTTP server of TP-Link’s Powerline Adapter/WiFi Extender TL-WPA4220 (hardware versions 2, 3, and 4). These flaws are two command injection vulnerabilities that can grant an attacker root access to the device (CVE-2020-24297), as well as a stack-based buffer overflow vulnerability that can be used to crash the http service (CVE-2020-28005).