[CVE-2020-12475] TP-Link Omada Controller Directory Traversal Vulnerability

Title: [CVE-2020-12475] TP-Link Omada Controller Directory Traversal Vulnerability
I. Overview:
–       Discoverer: sovietw0rm & chung96vn
–       Software: https://www.tp-link.com/us/support/download/eap-controller/#Controller_Software
–       Software version: 3.2.6Picture11II. Detail:
–       When I try to analysis my Omada Controller, I found a web service is running by java which is stored in /opt/tplink/EAPController/. After reverse it’s java lib, I found a vulnerability which allow anonymous user read arbitrary file on local.
–       Specifically, vulnerability exist in /opt/tplink/EAPController/lib/eap-web-3.2.5.jar file.Picture12com.tp_link.eap.web.portal.PortalController.getAdvertiseFile
–       This function doesn’t require authentication, that mean anonymous user can use this function to read arbitrary file.Picture3

Picture4Picture595510503_219357166184790_6791072631962468352_nIII. Impact:
–       Anonymous user can read arbitrary file.
–       Possible to take over admin account by read database info.
IV. Report timeline
–       10/03/2020 Report to TP-Link
–       17/03/2020 Feedback & Request more detail
–       18/03/2020 Send more detail to TP-Link
–       20/04/2020 TP-Link confirm issue and fixed

Advertisement
Privacy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s