[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
From: "Simon Waters (Surevine)" <simon.waters () surevine ! com>
Date: 2016-11-28 14:42:57
Message-ID: EBCAA892-4017-4783-A15F-40D0462A37FE () surevine ! com
[Download RAW message or body]
XSS in DHCP name has been reported on the Full Disclosure mailing list for other models of \
TP-Link Router before.
Seems to be generic to many TP-Link models.
My model has a regular line wrap to the DHCP hostname field, so you need to insert a comment \
into HTML or JS every N characters into any exploit code, but it is fully exploitable, and you \
can write arbitrary JS in that space with a little effort.
The attacker would have to inject JavaScript as a DHCP hostname, exhaust the DHCP pool to \
encourage the admin to view the DHCP page, at which point the attacker would take control of \
the admin's browser and current session using a tool such as BeEF XSS.
So anyone who can get a DHCP lease from a TP-Link router can use this to obtain a reasonable \
chance of acquiring admin privileges on that router.
That TP-Link continue to sell routers with basic security vulnerabilities like these is \
unimpressive, and there doesn't seem to be an effective support channel to get these issues \
fixed, or updates released.
Simon Waters
phone +448454681066
email simon.waters@surevine.com <mailto:simon.waters@surevine.com>
skype simon.waters.surevine <skype://simon.waters.surevine>
Participate | Collaborate | Innovate
Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO \
Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify \
us.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic