Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update TP-Link AC1750 Pwn2Own 2019 module #14365

Merged
merged 1 commit into from Nov 26, 2020
Merged

Conversation

pedrib
Copy link
Contributor

@pedrib pedrib commented Nov 8, 2020

This PR updates the TP-Link AC1750 Pwn2Own Tokyo 2019 module to slightly modify the injection technique.

The new modified technique allows bypass of a patch that TP-Link issued in early 2020. The vulnerability was discovered and intended to be used in Pwn2Own Tokyo 2020, but they smartened up and patched it (this time for good) just a few days ago in the latest firmware.

The module now works on both old and new firmware up to the patched version, and also improves firmware version detection for both the A7 and C7 routers.

For more details please see: https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/minesweeper.md

@pedrib
Copy link
Contributor Author

pedrib commented Nov 8, 2020

I have requested a CVE number from MITRE for the bypass and will post here as soon as I get it. Otherwise, the module is good to go, as you can see besides the check the changes are minimal, and I have tested in both A7 and C7 versions, odl and new firmware.

@pedrib
Copy link
Contributor Author

pedrib commented Nov 18, 2020

yello this is good to go!

I'll promise I'll deal with #14206 straight after this :D

Copy link
Contributor

@timwr timwr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedrib this looks OK to land.
Would you mind re-basing onto master and squashing it into single commit?
In theory I can do that for you...

@pedrib
Copy link
Contributor Author

pedrib commented Nov 26, 2020

@timwr I'm a git noob, how do I do that?

@timwr
Copy link
Contributor

timwr commented Nov 26, 2020

On the command line: git rebase -i e33f4ea63e then in the editor window do:

pick 019ab9aea6 Update docs
s 89b53c689f Update tplink_archer_a7_c7_lan_rce.rb
s a35465c4e0 Add new advisory links
s 0148b93752 fix typo
s 2755660a9c Update tplink_archer_a7_c7_lan_rce.md
s ee0cbd45b7 Add fixed fw version
s 03b49cf203 Update tplink_archer_a7_c7_lan_rce.md
s 0993248bdc Add new CVE ID

to squash all the commits into one.

Alternatively you can just do:

git reset --soft e33f4ea63e
git commit -m "Update TP-Link AC1750 Pwn2Own 2019 module"

Then just force push: git push pedrib archer_update -f

@pedrib
Copy link
Contributor Author

pedrib commented Nov 26, 2020

I think that's done? Hope I didn't destroy anything, let me know!

@timwr
Copy link
Contributor

timwr commented Nov 26, 2020

Actually I think you just added 2 more commits rather than squashing the existing ones

@pedrib
Copy link
Contributor Author

pedrib commented Nov 26, 2020

Jebus, what a noob... do you mind squashing it for me? I think some of your guys were able to do that before.

@timwr
Copy link
Contributor

timwr commented Nov 26, 2020

I pushed it but now it shows us both in the commit, I hope that's OK.
If so I'll go ahead and land it

@pedrib
Copy link
Contributor Author

pedrib commented Nov 26, 2020

of course, thank you!

@timwr timwr merged commit 87eba68 into rapid7:master Nov 26, 2020
2 of 3 checks passed
@timwr
Copy link
Contributor

timwr commented Nov 26, 2020

Original Release notes

This PR updates the TP-Link AC1750 Pwn2Own Tokyo 2019 module to slightly modify the injection technique.
The new modified technique allows bypass of a patch that TP-Link issued in early 2020. The vulnerability was discovered and intended to be used in Pwn2Own Tokyo 2020, but they smartened up and patched it (this time for good) just a few days ago in the latest firmware.
The module now works on both old and new firmware up to the patched version, and also improves firmware version detection for both the A7 and C7 routers.

@pedrib pedrib deleted the archer_update branch December 1, 2020 09:03
@pbarry-r7 pbarry-r7 added enhancement rn-enhancement release notes enhancement labels Dec 9, 2020
@pbarry-r7
Copy link
Contributor

Release Notes

Updated the exploits/linux/misc/tplink_archer_a7_c7_lan_rce module (a.k.a. TP-Link AC1750 Pwn2Own 2019) with the additional ability to bypass a patch TP-Link issued in early 2020.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants