TP-Link TL-SG108E Easy Smart Switch CVE-2017-8074 CVE-2017-8075 CVE-2017-8076 CVE-2017-8077 CVE-2017-8078
In May 2016, I made a little assessment on my own TP-Link switch. I found several vulnerabilities so I sent a complete report to TP-Link support to warn them. They answered me very professionally and declared that these vulnerabilities are mainly due to the technical limitation of the device. Since this date, no updates have been released.
The configuration of the switch can be performed through the fat client available here: http://uk.tp-link.com/download/TL-SG108E_V1.html
The firmware released in 2014 is still the same in 2017:
The port 80 in TCP is opened and used to upgrade the firmware. For any other configuration, ports 29808 and 29809 in UDP are used.
Reverse fat client
Using file, binwalk and Java Decompiler, I noticed the exe was just an archive containing the Java source code. As we can see below, the program has been developed with debugging tools inside:
Because the program has been developed in Java, we can use it using the JRE directly:
Dump login and password from logs
Using the command line adding the option “a” to open all log, we can extract this:
[...] [null][2017-03-26 14:26:58][DEBUG] Token HEAD: Packet Header:[version:1,opernate code:1,error code:0,sequence number:945,length:40,flag:0,fragment offset:0,token ID:16182,mac address:60-E3-27-83-20-A4] [line -1] [null][2017-03-26 14:26:58][DEBUG] Send Header:Packet Header:[version:1,opernate code:3,error code:0,sequence number:946,length:56,flag:0,fragment offset:0,token ID:16182,mac address:60-E3-27-83-20-A4] [line -1] [null][2017-03-26 14:26:58][DEBUG] SEND data:TLV array list [length:2,0:[type:200, length:6, 61646d696e00]1:[type:202, length:6, 61646d696e00]] [line -1] [null][2017-03-26 14:26:58][DEBUG] RECEIVED HEAD: Packet Header:[version:1,opernate code:4,error code:0,sequence number:946,length:36,flag:0,fragment offset:0,token ID:16182,mac address:60-E3-27-83-20-A4] [line -1] [null][2017-03-26 14:26:58][DEBUG] RECEIVED TLV: TLV array list [length:0,] [line -1] [null][2017-03-26 14:26:58][DEBUG] Login successfully. [line -1] [null][2017-03-26 14:26:58][DEBUG] Done! [line -1] [...]
As you can easily guess, in the send section, data are sent encoded in hexadecimal: 61646d696e00 → admin
But in any case, a couple of lines later we can see the login and the password in clear text:
[...] [null][2017-03-26 14:26:59][DEBUG] Switch Info:[Switch type:TL-SG108E 1.0][Switch Mac:60-E3-27-83-20-A4][Switch IP:192.168.42.1][Port Number:8][User name:admin][Password:admin] [line -1] [null][2017-03-26 14:26:59][DEBUG] transfer: 192.168.42.2 [line -1] [null][2017-03-26 14:26:59][DEBUG] Open Page <System Info> [line -1] [null][2017-03-26 14:26:59][DEBUG] Done! [line -1] [...]
Reverse the network communication
I just changed the “device description” of the switch to “chmod750” and dumped the network traffic in the same time. In the debug console, we have another time the login and the password but we also have the new device name in hexadecimal (63686d6f6437353000 → chmod750):
[...] [Receive.java][2016-05-04 15:03:43][DEBUG] RECEIVED TLV: TLV array list [length:9,0:[type:1, length:10, 544c2d53473130384500]1:[type:2, length:9, 63686d6f6437353000]2:[type:3,length:6, 60e3278320a4]3:[type:7, length:31,312e312e32204275696c642032303134313031372052656c2e353037343900]4:[type:8, length:14,544c2d53473130384520312e3000]5:[type:9, length:1, 00]6:[type:4, length:4, c0a82a01]7:[type:5,length:4, ffffff00]8:[type:6, length:4, 00000000]] [line 67] [...]
In Wireshark, let’s have a look:
The whole traffic is UDP and ciphered. Data sent:
I just investigate a little bit more the source code and I found a function called RC4. RC4 is a depreciated “ciphering” method:
With this key, the traffic previously captured has been retrieved:
We can see the login (admin), the password I changed (from admin to root) and the new device name (chmod750). With this knowledge, a little bit of Scapy integrating the key would be perfect if you want to decrypt on the fly.
The firmware transfer and upgrade is performed through the port 80 in HTTP. The upgrade is performed through a cgi script called “httpupg.cgi” with a dangerous parameter called “cmd”:
The HTTP transfer is performed through a POST request without authentication (the red part is the user and the blue part is the switch):
I decided to stop the assessment at this point and to alert TP-LINK support. From my point of view, this switch is pretty interesting for the price and all its network functionalities (I will definitely continue to use it in my lab). It is really interesting to see how the product has been designed and developed. So far, these vulnerabilities have not been patched so use precaution.