-15% na nową książkę sekuraka: Wprowadzenie do bezpieczeństwa IT. Przy zamówieniu podaj kod: 10000

More information about TP-Link backdoor

12 marca 2013, 13:03 | Aktualności | komentarzy 16
Tagi: , ,

During the analysis of this TP-Link backdoor, I found other issues, which can be handy when analyzing other devices. Finally the following path leads to remote root exec (useful for debugging purposes). Let’s see.
The router allows for ftp connections. But the ftp session is somehow chrooted (ie. one can access only ftp root and USB shared directories), standard router credentials used here:

ftp chroot

Standard ftp connection

Let’s try a little trick now. After plugging a USB flash drive into the router we can share a folder from the USB to be available on FTP:

udostępnianie folderu

Folder sharing

By clicking 'Save’ I issue an HTTP request, which I can intercept in local http proxy, and modify it like this (ie. path traversal):

path traversal

path traversal

After this I can traverse all the filesystem – also in write mode:

ftp path traversal

Path traversal – ftp

But how can I have interactive root-shell? OK, after searching /tmp directory, there is /tmp/samba/smb.conf which can be overwritten. Brief analysis of samba documentation shows many ways of executing external binary. For example:

root preexec (S)

    This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

As you can see, this option (root preexec) apart from CDROM mounting can be used to debug routers ;-) After modification the config looks like this:

zmodyfikowany smb.conf

Modified smb.conf

/tmp/szel is just a netcat binary (compiled for MIPS architecture) and uploaded by ftp (see the earlier path traversal trick). Now we can try out remote root shell:

smb shell

remote root

Interactive root is nice, but how can it help with locating issues like this? OK, let’s search httpd binary for strings (httpd can be downloaded from the router – for example – using ftp):

http-server

Here we can see start_art.html string mentioned in the original disclosure. But how does it work? Let’s check what is going on on the router when start_art.html is launched:

tftp

Now it’s clear – 192.168.0.100 is my IP address and nart.out is 777 chmoded and then executed…

Educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.

–Michał Sajdak (michal.sajdak<at>securitum.pl)

Spodobał Ci się wpis? Podziel się nim ze znajomymi:



Komentarze

  1. Dariusz

    Great article. Pure hacking in action! Keep it up.

    Odpowiedz
  2. Good Job

    Odpowiedz
  3. Security

    Awesome work!
    How did you manage to get the Samba server to re-read the smb.conf by the way?

    Odpowiedz
    • @Security – samba rereads it automatically (I didn’t have time to check if it’s normal samba behaviour).
      Other method would be to just restart print server.

      –ms

      Odpowiedz
  4. Andrej

    If I understand correctly this is SW issue and not HW.
    Easily correctable via alternative firmware (WRT based)

    Or you can disable http admin that is opened to the WAN
    – http admin to WAN is a bad practice anyway regardless of the router model by my opinion
    – minimum is https if you must open admin to WAN
    – better still is that there is nothing opend to WAN, or only SSH (secured by a digital certificate)
    – you can allways get to http admina via VPN and then access it via LAN

    Odpowiedz
    • Andrej, yes, it is SW issue and is correctable by alt firmwares.

      Your recommendations are OK, but https wouldn’t be helpful here – the start_art.html request could be made by https (if a router supports https).

      Odpowiedz
  5. Michał

    Burp – it was used on Securitum training, very useful tool :)

    Odpowiedz
  6. Such a geek! :)

    Odpowiedz
  7. Mack

    Firmware Version: 3.13.6 Build 110923 Rel.53137n
    Hardware Version: WR2543ND v1 00000000

    Issuing the request sees tftp request for the below, haven’t checked any further though.
    Filename: mdk_client.out

    Odpowiedz
  8. Wojtek

    Theory:
    From messing with OpenWRT I learned a while ago that next to the uboot and firmware partitions, the SPI flash has also an „ART” partition.
    ART = Atheros Radio Test = calibration data for the wireless chip, that won’t come up without them.
    This „feature” might be used for in-factory loading the per-chip specific data into the flash, somehow.

    Odpowiedz
  9. Odpowiedz
  10. DefToneR

    Hi! thanks for share

    As I tried before update to the lastests version of fw
    (3.13.31 Build 130319 Rel.57876n) this „bug” was repaired.

    As you can read on description on TPLink page:
    „Fixed some vulnerabilities and improved security”

    Great article and great work.

    Almost nobody update firmware of the routers, so I guess this will be available for years.

    Odpowiedz
  11. Michał

    Witam.

    Leży mi router , którego za żadne skarby nie mogę wrócić do ustawień fabrycznych (uszkodzony przycisk reset).

    Czy istnieje możliwość zmiany hasła do logowania na router mając go na biurku ?

    Odpowiedz
  12. someone

    Hello,

    How can I test if my TP-Link Archer D7 is vulnerable?

    Thank you

    Odpowiedz
  13. Zdzich
    Odpowiedz

Odpowiedz na Pantuts