-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-049
Product: Archer C9 v1 (AC1900 Wireless Dual Band Gigabit Router)
Vendor: TP-LINK Technologies CO., LTD.
Affected Version(s): 3.17.0 Build 20150507 Rel.34590n
Tested Version(s): 3.17.0 Build 20150507 Rel.34590n
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2015-07-29
Solution Date: 2015-08-27
Public Disclosure: 2016-04-27
CVE Reference: Not yet assigned
Author of Advisory: Martin Macht (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

A persistent cross-site scripting vulnerability could be identified in
the Archer C9 v1 Web interface.

The vendor TP-LINK describes the product as follows (see [1]):

"The Archer C9 AC1900 Wireless Dual Band Gigabit Router integrates 
4-port Switch, Firewall, NAT-router and Wireless AP. Powered by 
3x3 MIMO technology, the AC1900 Wireless Dual Band Gigabit Router 
delivers exceptional range and speed, which can fully meet the need
of Small Office/Home Office (SOHO) networks and the users demanding
higher networking performance. Your wireless connections are radio 
band selectable to avoid interference in your area, and the four built
- -in Gigabit ports supply high-speed connection to your wired devices."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The TP-LINK Archer C9 gives users the opportunity to share files on the 
connected USB flash drives. It is possible to create shares (shared
folders) with a user-defined name. Within this functionality, it is
possible to embed JavaScript code in the form field "Share Name".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Set the "Share Name" to the following value:

<script>alert(1)</script>

The character limit (15) of the form field "Share Name" is only
validated on the client side.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to firmware version C9_V1_150811.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-07-29: Vulnerability reported to vendor
2015-08-27: Vendor releases firmware (C9_V1_150811)
2016-04-27: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] TP-LINK Archer C9 User Guide
    http://www.tp-link.us/resources/document/Archer_C9_V1_UG.pdf
[2] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Martin Macht of the SySS GmbH.

E-Mail: martin.macht (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Martin_Macht.asc
Key fingerprint = 8B1A 1E97 1EF4 F0EA 50F8 428E ED1B F609 D44A 8C87 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" and 
without warranty of any kind. Details of this security advisory may be updated 
in order to provide as accurate information as possible. The latest version of 
this security advisory is available on the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXIHLsAAoJEO0b9gnUSoyHiM0P+gLsTYn9pRNcTV5lxe+tNtuD
C0LSWmn6rF1DlhFZJZO0YG3AcMFCHZ2eGex3Npuf2I6DiKdFH5R+JWml8W53pfVD
4rCfy7h/dhiAeFsZllBB0jez8WCTzaFXybPOHUGyf1Dss/SsgY+/vFzr/x9/Xy17
EiFOh4fxtpccb9J99Bo+XKijFOIP0GtqJzUaYWehBP9qmGa4xVe91RFRXJK4UccT
BOBjLSylLEW9OmQXRUYU6HARNdmeYTYdOkgviERg2uzq6pYEOPtjR03EMWgW8KjQ
lNFsvTwpIp4Qk7+FVPG6291iT9fO0C+d6wOxGTB0jE6uo4T9UI+dGHhk7ANdbc5L
RbcDZMZCkDPE1T0ot5oa2OHyr1wLTZNKvZ09hwfuS/TUYri7xkgZewOMExvm7HkG
9l8AeCYRx6fn8gKam5k5lzoEH24PInIY+WoJp/N14TNn4yCg8wDitXprKAmb5szH
HVLsbLxbe8TkNT1etdFgDOK8FZuSQb+rfWJkDuZfcY79eJNPPkYHds5aSITHSIPp
oXiWBePAVQ1dhQKKRfu1RJQw3lR3pFHAMC+8Wo2hgiLUMhYlbmUrZ9F4RzkWGS+5
KxDbF2z4PmdNXkF7VWykKU9dBb4aSeJMn2Trcp2e0b7E0br+4fEeyultCT8u8Go7
w/6Fasdy8FXw/nxYFOvg
=mdLm
-----END PGP SIGNATURE-----