Title: [CVE-2020-12475] TP-Link Omada Controller Directory Traversal Vulnerability
I. Overview:
– Discoverer: sovietw0rm & chung96vn
– Software: https://www.tp-link.com/us/support/download/eap-controller/#Controller_Software
– Software version: 3.2.6
II. Detail:
– When I try to analysis my Omada Controller, I found a web service is running by java which is stored in /opt/tplink/EAPController/. After reverse it’s java lib, I found a vulnerability which allow anonymous user read arbitrary file on local.
– Specifically, vulnerability exist in /opt/tplink/EAPController/lib/eap-web-3.2.5.jar file.
com.tp_link.eap.web.portal.PortalController.getAdvertiseFile
– This function doesn’t require authentication, that mean anonymous user can use this function to read arbitrary file.


III. Impact:
– Anonymous user can read arbitrary file.
– Possible to take over admin account by read database info.
IV. Report timeline
– 10/03/2020 Report to TP-Link
– 17/03/2020 Feedback & Request more detail
– 18/03/2020 Send more detail to TP-Link
– 20/04/2020 TP-Link confirm issue and fixed