Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices:- Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP- IP-Cameras: TV-IP110WN, TV-IP121WNThese were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. A more detailed breakdown is presented below on a per vulnerability basis:-**Command Injection**“`CVE-ID: CVE-2018-19239Product: TEW-673GRUModule affected: `start_arpping` function in `timer` binaryFirmware version: v1.00b40TRENDnet TEW-673GRU v1.00b40 devices have an OS command injectionvulnerability in the `start_arpping` function of the`timer binary`, which allows remote attackers to executearbitrary commands via three parameters (dhcpd_start, dhcpd_end, andlan_ipaddr)passed to the apply.cgi binary through a POST request. Exploiting thevulnerabilityrequires a user to be authenticated with the router withadministrative credentials.The `start_arpping` function reads the following values from the NVRAMnamely: dhcpd_start,dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are thenpassed to the`arpping` utility without any sort of sanity checks.Out of these values, the outward facing configuration webserver(httpd)running at`IP:192.168.10.1 Port: 80` allows a user to modify the first threevalues `dhcpd_start`,`dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configurationwebpage available at`http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi`binary with theappropriate parameters.We have observed that the by directly making a POST request to the`apply.cgi` binarywith the values of the above mentioned three parameters containingCommand Injectionbased payloads, it is possible to execute arbitrary commands on therouter with rootprivileges.“`**Buffer Overflows**“`CVE-ID: CVE-2018-19240Products:- TV-IP110WN (V1.2.2 build 68, V220.127.116.11, and V1.2.2 build 64)- TV-IP121WN (V1.2.2 build 28)Module affected: `network.cgi`Buffer overflow can be exploited by using the `iptype` parameterin network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68,V18.104.22.168, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allowsattackers to hijack the control flow to any attacker-specified location bycrafting a POST request payload (without authentication)“““CVE-ID: CVE-2018-19241Products:- TV-IP110WN (V1.2.2 build 68, V22.214.171.124, and V1.2.2 build 64)- TV-IP121WN (V1.2.2 build 28)Module affected: `video.cgi`A BoF vulnerability exists in the CGI binary which can modify the quality ofthe video recorded on the camera. A sub-routine respondAsp is called thatcopies a user-controlled parameter into a stack variable using strcpywithout anybounds check. This makes the subroutine vulnerable to BoF and can be exploitedwithout authentication“““Products:- TV-IP110WN (V1.2.2 build 68, V126.96.36.199, and V1.2.2 build 64)- TV-IP121WN (V1.2.2 build 28)Module affected: `watch.cgi`A BoF vulnerability exists in the `watch.cgi` binary and how it handlesthe `url` parameter. An attacker can deliver its payload using a POST requestin the `url` parameter to trigger the BoF vulnerability without authentication.“““CVE-ID: CVE-2018-19242Products:- TEW-632BRP (1.010B32)- TEW-673GRU (v1.00b40)Module affected: `apply.cgi`Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRUdevices allows attackers to hijack the control flow to any attacker-specifiedlocation by crafting a POST request payload(with authentication).“`**Reflective XSS**“`Products:- TEW-632BRP (1.010B32)- TEW-673GRU (v1.00b40)- TEW-634GRU (v1.01B14)Module affected: `login.cgi“Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has areflected XSSvulnerability that does not require any authentication.“`**Vendor Disclosure**The vulnerabilities had been notified to the vendor 12/03.The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices.