The router allows for ftp connections. But the ftp session is somehow chrooted (ie. one can access only ftp root and USB shared directories):
Let’s try a little trick now. After plugging a USB flash drive into the router we can share a folder from the USB to be available on FTP:
By clicking ‘Save’ I issue an HTTP request, which I can intercept in local http proxy, and modify it like this (ie. path traversal):
After this I can traverse all the filesystem – also in write mode:
But how can I have interactive root-shell? OK, after searching /tmp directory, there is /tmp/samba/smb.conf which can be overwritten. Brief analysis of samba documentation shows many ways of executing external binary. For example:
root preexec (S)
This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.
As you can see, this option (root preexec) apart from CDROM mounting can be used to debug routers 
After modification the config looks like this:
After modification the config looks like this:
Interactive root is nice, but how can it help with locating issues like this? OK, let’s search httpd binary for strings (httpd can be downloaded from the router – for example – using ftp):
Here we can see start_art.html string mentioned in the original disclosure. But how does it work? Let’s check what is going on on the router when start_art.html is launched:
Now it’s clear – 192.168.0.100 is my IP address and nart.out is 777 chmoded and then executed…
Models affected
- TL-WDR4300
- TL-WR743ND (v1.2 v2.0)
- …
History of the bug
- 12.02.2013 – TP-Link e-mailed with details – no response
- 22.02.2013 – TP-Link again e-mailed with details – no response
- 12.03.2013 – public disclosure
Note : Educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.Author : –Michał Sajdak (michal.sajdak<at>securitum.pl)
Source : sekurak.pl
No comments:
Post a Comment