CVE-2024-4224: TP-Link TL-SG1016DE XSS#

AHA! has discovered an issue with the TL-SG1016DE from TP-Link, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on July 15, 2024. CVE-2024-4224 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator’s browser. CVE-2024-4224 is an instance of CWE-79.

Technical Details#

In the management web interface, the sysName parameter in /system_name_set.cgi accepts user input via HTTP GET to set the system name. Once stored, the system name is rendered in the browser without encoding of HTML entities. This allows the browser to then execute JavaScript code stored in the device name.

Proof of concept (PoC) exploit:

<html>
<body>
<a href='http://192.168.0.1/system_name_set.cgi?sysName=a"]};alert(1);</script>'>XSS</a>
</body>
</html>

Repro steps:

  1. Save PoC exploit as 1.html
  2. Authenticate to TL-SG1016DE
  3. Open 1.html and click the XSS link

Proof screenshot:

Attacker Value#

Though we have not explored weaponizing this bug beyond PoC, a scenario for compromise could involve phishing or using a watering hole targeting an authenticated switch administrator.

With administrative access to the TL-SG1016DE, the network configuration could be updated to gain access to sensitive systems on VLANs that were previously inaccessible.

Credit#

This issue is being disclosed through the AHA! CNA and is credited to 73x45!!!!! and s3rv1c3_w34p0n_r34ch3r.

Timeline#

  • 2024-04-25 (Thu): Initial findings presented at AHA! Meeting 0x00d3.
  • 2024-04-26 (Fri): PoC validated and this disclosure drafted.
  • 2024-04-29 (Mon): Disclosed to the vendor via email at [email protected].
  • 2024-05-06 (Mon): Vendor acknowledged the vulnerability report.
  • 2024-06-27 (Thu): Vendor requested to delay disclosure due to a problem found while testing the new firmware.
  • 2024-07-08 (Mon): Vendor released fixed version TL-SG1016DE(UN) V7_1.0.1 Build 20240628.
  • 2024-07-15 (Mon): Public disclosure of CVE-2024-4224.