TP-Link Routers Multiple Vulnerabilities

Multiple TP-Link routers contain several vulnerabilities.

#1 Default Admin Credentials

According to the TD-W8901g manual the web interface has default credentials.

Open a web browser (either of Windows Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome, Opera or any other web browser), key in 192.168.1.1 in the address bar and press enter. The default username and password are both “admin” (all in lower case)

#2 Authentication Bypass

If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password.

I tested the following routers / firmware versions of the TD-W8901g:

TD-W8901g – 3.0.1 Build 100603 Rel.26888
TD-W8901g – 3.0.1 Build 100901 Rel.23594
TD-W8901g – 3.0.0 Build 100702 Rel.26418
TD-W8961ND – 3.0.0 Build 130422 Rel.05843
TD-8817 – 3.0.1 Build 110402 Rel.02846
TD-8840T – 3.0.0 Build 101208 Rel.36427

tplink0

tplink1

There are other vendors that are based on TP-Link affected:

Lnpomcbr3b M-200 A W300V1.0.0a_ZRD_BY1
iball Baton iB-LR6111A 2.0.0 Build 080604 Rel.39621
akeeo amplebit ADSL Router 2.10.7.0(UE3.C2)3.7.7.2.001

Ultimately this is due to the router using the RomPager server. Can identify from the header:

Server: RomPager/4.07 UPnP/1.0

#3 Cleartext User Password Disclosure

By default the router operates over HTTP. Once authenticated as an admin the user account (not a default so it is optional) password will be sent cleartext when navigating the interface. The /basic/home_wan.htm page will make a call to /basic/tc2wanfun.js which contains the password.

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Date: Mon, 20 Jan 2014 02:24:17 GMT
Pragma: no-cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT
Server: RomPager/4.07 UPnP/1.0
EXT:
Content-Length: 23

var pwdppp = “PASSWORD”;

About these ads

Tags: , , ,

2 Responses to “TP-Link Routers Multiple Vulnerabilities”

  1. pete Says:

    Is there a fix for this? I got hacked via this exploit

  2. kifcaliph Says:

    there is a fix for this vulnerability I published there http://egyptianvulture.blogspot.com/2014/06/how-to-fix-zynos-vulnerability-prevent.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 772 other followers

%d bloggers like this: