In the third post of the Hacking the TL-WPA4220 series, we are not going to deal with vulnerabilities of any kind. Instead, we will focus on understanding how the browser communicates with our device’s HTTP server. Then we will be ready to exploit the command injection vulnerabilities we found in the previous post.
In the first blog post of this series, we took a look at a previously disclosed vulnerability in the TL-WA850RE, analyzed the httpd binary, and understood how this vulnerability could be exploited. In this post, we are going to see how we can use this knowledge to find similar (unreported) vulnerabilities for the HTTP server of the TL-WPA4220 Powerline WiFi extender (CVE-2020-24297).
In this post, I’m going to describe some vulnerabilities that I found a while ago, affecting the HTTP server of TP-Link’s Powerline Adapter/WiFi Extender TL-WPA4220 (hardware versions 2, 3, and 4). These flaws are two command injection vulnerabilities that can grant an attacker root access to the device (CVE-2020-24297), as well as a stack-based buffer overflow vulnerability that can be used to crash the http service (CVE-2020-28005).