Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Use of Insufficiently Random Values (CWE-330) on TP-Link Wi-Fi Range Extender

TP-Link Wi-Fi Range Extender v6 sets highly predictable Session IDs which lets attackers gaining administrative router access.

HTTPd server used in Wi-Fi Range Extenders sets session ids which are sequential and timely increasing value. After rebooting, it also starts from beginning. An attacker can easily detect currently logged in admin user's session id by only trying the values below he has got.

Some sample of the session ids generated by Burp Sequencer is given below:

...
6400a8c000000004
6400a8c000000005
6400a8c000000006
6400a8c000000007
6400a8c000000008
6400a8c000000009
6400a8c00000000a
6400a8c00000000b
6400a8c00000000c
...

POC:

Alt Text

Affected Products:

Hardware: TL-WA850RE Wi-Fi Range Extender v6
Software: up to and including Firmware 1.0.1 Build 20200403 Rel 72167

History: