Taking over the TP-LINK WR1043N
- The WR1043N can be taken over by a remote adversary through CSRF attack.
The TP-LINK WR1043N router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, traverses the /tmp filesystem of the WR1043N and makes it an FTP share, and enables Internet access to the router's FTP server.
Like most susceptible routers, it is possible to enable remote management using CSRF against the WR1043N. However, this is not useful to an attacker, because it is not possible to reset the administrative credentials to the WR1043N without knowing the previous username and password. Instead, ISE combined cross-site request forgery, the Internet-accessible FTP server's access to the /tmp directory, and a race condition between the web interface's writing of a shell script and executing it, to obtain root shell access to the router.
- The victim must have an active management session with the WR1043N.
- The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.
All HTML forms present in the TP-LINK WR1043N are susceptible to Cross-Site Request Forgery.
The FTP server embedded in the TP-LINK WR1043N is designed to provide access only to an attached USB flash or hard drive, but a vulnerability in the web interface allows sharing of other directories (including the root file system).
After a user modifies the "Bandwidth Control Settings" using the administrative interface on the WR1043N, the interface writes a shell script to the file /tmp/wr841n/tc.sh, and executes it. A race condition exists between the web interface writing this script and executing it. A remote attacker with access to the /tmp directory using the FTP server can repeatedly upload a replacement tc.sh containing arbitrary shell commands to be run as root.
Concurrent with our research, another security researcher discovered and reported the FTP traversal vulnerability. However, that researcher did not combine the vulnerability with cross-site request forgery to develop a remote attack.
- Vulnerable Firmware is TL-WR1043ND_V1_120405.
- Other versions of the firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.
Recommendations to the vendor
- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
- In addition to HTML form tokens, HTTP referer checking should be enabled.
- Configuration pages that accept filenames from the browser should canonicalize those paths before using them, in case the path contains symbolic or hard links (including "." or "..") that would cause the router to serve a file outside of the intended directory.
- The FTP server should be re-engineered to ensure that users cannot access files outside of the intended FTP directory, such as canonicalization or use of the "chroot" call.
- Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.
Recommendations to device administrators
- (4/29/2013) A firmware upgrade has been provided by TP-Link.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
In the following proof of concept attack, we assume that a TP-LINK WR1043N device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the Administrator's router, from the Administrator's browser. Since the Administrator has a current session established with the TP-LINK router, the form submissions are processed.
The malicious page (Figure 1) makes six requests to the WR1043N using HTML img tags. Requests one through four share the /tmp directory over the FTP server, change the password for admin to "ise", make the FTP server Internet-accessible, and start the FTP server, respectively. Request five enables the bandwidth control option of the router; its only purpose is to ensure that request six actually causes the tc.sh file to be rerun. After request five, the attacker (presumably using a script triggered by the victim accessing the attack page) connects to the router's FTP server and continuously uploads a replacement tc.sh file containing malicious commands. Request six disables the bandwidth control option of the router. After receiving request six, due to the race condition: (1) the web interface writes a new copy of tc.sh, (2) the attacker overwrites tc.sh using FTP, and (3) the web interface executes tc.sh.
After obtaining root shell access, an attacker could perform any attack imaginable by compiling and uploading additional commands using the FTP server.
- More information about TP-Link backdoor
- CVE-2013-2644: FTP Directory Traversal
- CVE-2013-2645: Cross-Site Request Forgery
- CVE-2013-2646: Denial of Service
- Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- Initial exploit By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- Exploit revised by: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at firstname.lastname@example.org
- Alternatively, for more general information on ISE, you can reach us using email@example.com