TP-Link AX1800 WiFi 6 Router (Archer AX21) MiniDLNA Stack-Based Buffer Overflow Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability has been identified in the TP-Link AX1800 WiFi 6 Router (Archer AX21) devices. This vulnerability allows unauthenticated attackers on the local network to execute arbitrary code as the root user. The issue arises in the MiniDLNA service, specifically version 1.1.2, where the 'db_dir' field can be manipulated. Exploitation requires a USB flash drive to be connected to the router, as the vulnerability leverages the media sharing feature that is automatically enabled for USB shares.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the router, with the executed code running as the root user.

Reproduction

The vulnerability can be reproduced by uploading a crafted 'files.db' database file to the router via SMB or FTP. This can be done by connecting a USB flash drive to the router and enabling media sharing, which activates the MiniDLNA service. Once the 'files.db' file is uploaded, the MiniDLNA service can be exploited by sending a SOAP request that triggers the buffer overflow, leading to code execution.

Remediation

Users are advised to update to the latest firmware version available on the TP-Link support website for the Archer AX20 model.