AHA Logo

Austin Hackers Anonymous

About Us Chat CVE Mailing List Meetings Our Spawn Rules


CVE-2024-4224: TP-Link TL-SG1016DE XSS

AHA! has discovered an issue with the TL-SG1016DE from TP-Link, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on July 15, 2024. CVE-2024-4224 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator’s browser. CVE-2024-4224 is an instance of CWE-79.

Technical Details

In the management web interface, the sysName parameter in /system_name_set.cgi accepts user input via HTTP GET to set the system name. Once stored, the system name is rendered in the browser without encoding of HTML entities. This allows the browser to then execute JavaScript code stored in the device name.

Proof of concept (PoC) exploit:

<html>
<body>
<a href='http://192.168.0.1/system_name_set.cgi?sysName=a"]};alert(1);</script>'>XSS</a>
</body>
</html>

Repro steps:

  1. Save PoC exploit as 1.html
  2. Authenticate to TL-SG1016DE
  3. Open 1.html and click the XSS link

Proof screenshot:

Attacker Value

Though we have not explored weaponizing this bug beyond PoC, a scenario for compromise could involve phishing or using a watering hole targeting an authenticated switch administrator.

With administrative access to the TL-SG1016DE, the network configuration could be updated to gain access to sensitive systems on VLANs that were previously inaccessible.

Credit

This issue is being disclosed through the AHA! CNA and is credited to 73x45!!!!! and s3rv1c3_w34p0n_r34ch3r.

Timeline

© 2023 Austin Hackers of Academics   •   Contact: Email // Mastodon   •   View and contribute to this site on Github

Fork me on GitHub