Jun 19, 2014

Path traversal in TP-LINK WR740 and possibly others

Summary

TP-Link WR740 routers are vulnerable to a path traversal vulnerability on the web administration interface. Unauthenticated users are able to read any file from the device.

Description

Models: WR740N, WR740ND and possibly others.
Update: People have been reporting on forums that models WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N are also based on the same HTTP daemon but we haven't been able to test it ourselves.
Firmware: 3.12.11 Build 111130 Rel.55312n and possibly others
Date: 26/05/2012
Severity: High
Impact: Disclosure of configuration and password files.
Attack vector: Remote. No auth required.
Solution: N/A

The router TP-Link WR740ND/WR740N has a HTTP server running on port 80 handling the web management interface.

There exists a path traversal vulnerability in the URI "/help" that allows attackers to read any file including configurations.

It is possible to read other configuration files if the services have been configured previously. (No-IP, DyDNS, Samba, NFS)

POC


After further research we discovered that the URL was posted before on some russian forum, but not mentioned as a vulnerability and specifying another model.

Paulino Calderón
calderon()websec.mx

2 comments:

This comment has been removed by the author.

Post a Comment