# Talos Vulnerability Report

### TALOS-2022-1507

## TCL LinkHub Mesh Wifi ucloud_del_node denial of service vulnerability

##### August 1, 2022

##### CVE Number

CVE-2022-26346

##### SUMMARY

A denial of service vulnerability exists in the ucloud_del_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.

##### CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

TCL LinkHub Mesh Wifi MS1G_00_01.00_14

##### PRODUCT URLS

LinkHub Mesh Wifi –

##### CVSSv3 SCORE

9.6 – CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

##### CWE

CWE-284 – Improper Access Control

##### DETAILS

The LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.

The LinkHub Mesh system uses protobuffers to communicate both internally on the device, as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi, or wired network, provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.

In this case, the handler is `confsrv`, which handles many message types. In this case we are interested in `MxpManageList`

message MxpManage {
required string serialNum = 1; [1]
required int32 opt = 2;
}
message MxpManageList {
repeated MxpManage mxp = 1;
optional uint64 timestamp = 2;
}

Using [1] we have control over `serialNum` in the packet. The parsing of the data in the protobuf is done in `ucloud_del_node`.

00428a98 int32_t ucloud_del_node(int32_t arg1, int32_t arg2, int32_t arg3)

00428ab8 arg_0 = arg1
00428ac4 int32_t $a3
00428ac4 arg_c = $a3
00428ac8 int32_t var_440 = 0
00428acc int32_t var_444 = 0
00428aec void group_sn
00428aec memset(&group_sn, 0, 0x100)
00428af8 int32_t var_448 = 0
00428afc int32_t sn = 0
00428b00 int32_t var_338 = 0
00428b04 int32_t var_334 = 0
00428b08 int32_t var_330 = 0
00428b0c int32_t var_32c = 0
00428b10 int32_t var_328 = 0
00428b14 int32_t var_324 = 0
00428b18 int32_t var_320 = 0
00428b38 void var_31c
00428b38 memset(&var_31c, 0, 0x100)
00428b60 void var_21c
00428b60 memset(&var_21c, 0, 0x210)
00428b70 int32_t $v0_1
00428b70 if (arg2 == 0) {
00428b98 _td_snprintf(3, “api/map_manage.c”, 0x7a1, ” in is null ! n”, 0x4ae4b0)
00428ba4 $v0_1 = 0xffffffff
00428ba4 } else {
00428bc8 GetValue(name: “sys.mesh.groupsn”, output_buffer: &group_sn)
00428bec GetValue(name: “serial.number”, output_buffer: &sn)
00428c14 struct MxpManageList* pkt = mxp_manage_list__unpack(0, arg3, arg2)
00428c28 if (pkt == 0) {
00428c50 _td_snprintf(3, “api/map_manage.c”, 0x7a9, ” unpack failed ! n”, 0x4ae4b0)
00428c5c $v0_1 = 0xffffffff
00428c5c } else {
00428c78 init_node_opt_hash_table(&var_21c)
00428c94 get_node_opt_hash_table(&var_21c)
00428ca0 int32_t loop_idx = 0
00428f40 while (true) {
00428f40 if (loop_idx u>= pkt->mxp_manage_count) {
00428f50 if (pkt->is_timestamp_present != 0) {
00428f80 sprintf(&var_31c, “%llu”, pkt->timestamp.d, pkt->timestamp:4.d, 0x4ae4b0)
00428fa4 SetValue(name: “sys.cfg.stamp”, input_buffer: &var_31c)
00428f98 }
00428fc0 mxp_manage_list__free_unpacked(pkt, 0)
00428fdc save_all_mesh_node_opt(&var_21c)
00428ff8 free_the_hash_table(&var_21c)
0042902c printf(“[%s][%d][kg] groupsn = %sn”, “ucloud_del_node”, 0x7d0, &group_sn, 0x4ae4b0)
00429050 SetValue(name: “sys.mesh.groupsn”, input_buffer: &group_sn)
00429064 CommitCfm()
00429070 $v0_1 = 0
00429070 break
00429070 }
00428cd8 upload_one_node_basic_info(serial_number: *(*(pkt->p_mxp + (loop_idx p_mxp + (loop_idx p_mxp + (loop_idx p_mxp + (loop_idx p_mxp + (loop_idx p_mxp + (loop_idx Read More