分享

更多

   

TP-Link路由器发现后门漏洞

2013-03-15  mtjs
安全研究员Michal Sajdak在深圳普联技术有限公司(TP-LINK)的路由器产品 TL-WDR4300的固件中发现了后门漏洞,在通知普联无果后他公开了漏洞的概念验证攻击代码。受影响的型号包括TL-WDR4300和TL-WR743ND等,包含远程root漏洞的固件版本是去年底发布的最新版本3.13.23 Build 122512(即2012年12月25日发布的版本)。Sajdak于2月12日和22日两次向普联发去了详细介绍漏洞的邮件,都没有得到任何回应,于是在3月12日公开了漏洞。

后门影响型号:

WDR740N, WDR740ND, WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N 
这是目前已知的受影响产品型号,基本算是全覆盖了。希望厂家进行全部软件更新,禁绝此类问题。


More information about TP-Link backdoor

During the analysis of this TP-Link backdoor, I found other issues, which can be handy when analyzing other devices. Finally the following path leads to remote root exec (useful for debugging purposes). Let’s see.
The router allows for ftp connections. But the ftp session is somehow chrooted (ie. one can access only ftp root and USB shared directories):

ftp chroot

Standard ftp connection

Let’s try a little trick now. After plugging a USB flash drive into the router we can share a folder from the USB to be available on FTP:

udost?pnianie folderu

Folder sharing

By clicking 'Save’ I issue an HTTP request, which I can intercept in local http proxy, and modify it like this (ie. path traversal):

path traversal

path traversal

After this I can traverse all the filesystem – also in write mode:

ftp path traversal

Path traversal – ftp

But how can I have interactive root-shell? OK, after searching /tmp directory, there is /tmp/samba/smb.conf which can be overwritten. Brief analysis of samba documentation shows many ways of executing external binary. For example:

root preexec (S)

 

    This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

As you can see, this option (root preexec) apart from CDROM mounting can be used to debug routers ;-) After modification the config looks like this:

zmodyfikowany smb.conf

Modified smb.conf

/tmp/szel is just a netcat binary (compiled for MIPS architecture) and uploaded by ftp (see the earlier path traversal trick). Now we can try out remote root shell:

smb shell

remote root

Interactive root is nice, but how can it help with locating issues like this? OK, let’s search httpd binary for strings (httpd can be downloaded from the router – for example – using ftp):

http-server

Here we can see start_art.html string mentioned in the original disclosure. But how does it work? Let’s check what is going on on the router when start_art.html is launched:

tftp

Now it’s clear – 192.168.0.100 is my IP address and nart.out is 777 chmoded and then executed…

Educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.



    本站是提供个人知识管理的网络存储空间,所有内容均由用户发布,不代表本站观点。如发现有害或侵权内容,请点击这里 或 拨打24小时举报电话:4000070609 与我们联系。

    来自: mtjs > 《2013》

    猜你喜欢

    0条评论

    发表

    类似文章
    喜欢该文的人也喜欢 更多