===========================================================================
TP-LINK
====================================================================
===========================================================================

1.Advisory Information
Title: TP-LINK TL-SC3171 Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
The next vulnerability has been found in this device:
-CVE-2013-3688. Authentication Bypass Issues(CWE-592) and Execution with Unnecessary Privileges(CWE-250).

3.Affected Products
-CVE-2013-3688. The following product are affected: TP-LINK TL-SC3171
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Execute Remote Command bypassing authentication
CVE-2013-3688, Execute Remote Command bypassing authentication.
We have found that is possible to reboot this kind of devices remotely. The attack vector is the following one:
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/reboot
http://xx.xx.xx.xx/cgi-bin/hardfactorydefault
_____________________________________________________________________________

In the first one you will get blank page and you can’t re-login until the device is reboot.
In the second one, you will get a victory message and of course, in the next login you should introduce factory settings.

5.Credits
-CVE-2013-3688, was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo. 

6.Report Timeline
-2013-05-31: Students team notifies the TP-Link Customer Support of the vulnerability. No reply received.
-2013-06-03: Students asks for a reply. 
-2013-06-04: TP-Link answers saying Coresecurity reported this vulnerability before and this has been corrected in a new beta firmware version.
-2013-06-04: Students answer to the vendor saying that this vulnerability is different from the Coresecurity vulnerabilities.
-2013-06-05: TP-Link answers saying this vulnerability is the same as the vulnerability reported by Coresecurity.
-2013-06-05: Students respond by explaining the details of the vulnerability and confirming that the vulnerability is different.
-2013-06-06: TP-Link answer confirming that the vulnerability is fixed with the latest patch for the reported vulnerabilities generated by Coresecurity. The beta version is available on the website of TP-Link