TP-Link Routers Multiple Vulnerabilities

Multiple TP-Link routers contain several vulnerabilities.

#1 Default Admin Credentials

According to the TD-W8901g manual the web interface has default credentials.

Open a web browser (either of Windows Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome, Opera or any other web browser), key in 192.168.1.1 in the address bar and press enter. The default username and password are both “admin” (all in lower case)

#2 Authentication Bypass

If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password.

I tested the following routers / firmware versions of the TD-W8901g:

TD-W8901g – 3.0.1 Build 100603 Rel.26888
TD-W8901g – 3.0.1 Build 100901 Rel.23594
TD-W8901g – 3.0.0 Build 100702 Rel.26418
TD-W8961ND – 3.0.0 Build 130422 Rel.05843
TD-8817 – 3.0.1 Build 110402 Rel.02846
TD-8840T – 3.0.0 Build 101208 Rel.36427

There are other vendors that are based on TP-Link affected:

Lnpomcbr3b M-200 A W300V1.0.0a_ZRD_BY1
iball Baton iB-LR6111A 2.0.0 Build 080604 Rel.39621
akeeo amplebit ADSL Router 2.10.7.0(UE3.C2)3.7.7.2.001

Ultimately this is due to the router using the RomPager server. Can identify from the header:

Server: RomPager/4.07 UPnP/1.0

#3 Cleartext User Password Disclosure

By default the router operates over HTTP. Once authenticated as an admin the user account (not a default so it is optional) password will be sent cleartext when navigating the interface. The /basic/home_wan.htm page will make a call to /basic/tc2wanfun.js which contains the password.

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Date: Mon, 20 Jan 2014 02:24:17 GMT
Pragma: no-cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT
Server: RomPager/4.07 UPnP/1.0
EXT:
Content-Length: 23

var pwdppp = “PASSWORD”;

Tags: Defaults, RomPager, Router, Shodan