More information about TP-Link backdoor

Source: Internet
Author: User
Tags ftp connection

During the analysis of this TP-Link backdoor, I found other issues, which can be handy when analyzing other devices. finally the following path leads to remote root exec (useful for debugging purposes ). let's see.

The router allows for ftp connections. But the ftp session is somehow chrooted (ie. one can access only ftp root and USB shared directories ):

Standard ftp connection

Let's try a little trick now. After plugging a USB flash drive into the router we can share a folder from the USB to be available on FTP:

 

Folder sharing

By clicking 'save' I issue an HTTP request, which I can intercept in local http proxy, and modify it like this (ie. path traversal ):

Path traversal

After this I can traverse all the filesystem-also in write mode:

Path traversal-ftp

But how can I have interactive root-shell? OK, after searching/tmp directory, there is/tmp/samba/smb. conf which can be overwritten. Brief analysis of samba documentation shows gateways of executing external binary. For example:

 

123 Root preexec (S) This is the same as the preexec parameter t that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

As you can see, this option (root preexec) apart from CDROM mounting can be used to debug routers After modification the config looks like this:

Modified smb. conf

/Tmp/szel is just a netcat binary (compiled for MIPS architecture) and uploaded by ftp (see the earlier path traversal trick). Now we can try out remote root shell:

Remote root

Interactive root is nice, but how can it help with locating issues like this? OK, let's search httpd binary for strings (httpd can be downloaded from the router-for example-using ftp ):

Here we can seeStart_art.htmlString mentioned in the original disclosure. But how does it work? Let's check what is going on the router when start_art.html is launched:

Now it's clear-192.168.0.100 is my IP address and nart. out is 777 chmoded and then executed...

Educational use only! We are also not resposible for any potential damages of the devices which are tested for this vulnerability.

-Micha unzip Sajdak (michal. sajdak <at> securitum. pl)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.