Popular TP-Link wireless home router open to remote hijacking

By concatenating a known improper authentication flaw with a newly discovered CSRF vulnerability, remote unauthenticated attackers can obtain full control over TP-Link TL-WR841N, a popular wireless consumer router used worldwide.

“This type of remote attack can also compromise routers behind a network address translator (NAT) and those not exposed to the public wide area network (WAN) as the vulnerability is remotely reflected off a locally connected host, rather than coming directly over WAN,” says Tenable researcher David Wells.

Unfortunately, these holes have yet to be patched by TP-Link.

About the vulnerabilities

TP-Link is the world’s number one provider of consumer wireless networking devices, and TP-Link TL-WR841N is one of the most popular budget routers offered for sale on Amazon, so Wells decided to reverse engineer the latest device’s firmware available at the time (0.9.1 4.16 v0348.0 Build 180119 Rel 66498n) in search for exploitable vulnerabilities.

He found several:

• CVE-2018-11714 – a local improper authentication flaw that would allow unauthenticated attackers to trigger a set of sensitive CGI routines in the router’s admin webpage by spoofing the HTTP Referrer request from tplinkwifi.net, tplinklogin.net or the router’s IP address.
• CVE-2018-15702 – a cross-site request forgery flaw in the HTTP referrer whitelist check function in the router’s httpd service.
• CVE-2018-15700 and CVE-2018-15701 – Two local/unauthenticated denial of service (DoS) vulnerabilities, which can cause the httpd service to crash by sending a malformed HTTP request.

CVE-2018-11714 was simultaneously discovered and independently reported by another researcher. But CVE-2018-15702 is what makes a remote attack possible.

The problem rests in the function that checks whether a provided HTTP referrer matches the ones that have been whitelisted (tplinkwifi.net, tplinklogin.net, router’s IP): it only checks the first 14 or 15 characters.

“Because of this, it turns out that an attacker could simply host an iframe with subdomain of tplinkwifi.net.*, such as: http://tplinkwifi.net.drive-by-attack[.]com, and can force any TP-Link connected user into performing a CSRF to bypass authentication and the referer whitelisting logic to successfully invoke the router’s sensitive CGI routines,” Wells explained.

“Through these routines, an attacker can obtain full control over the router, such as uploading a new configuration file via CSRF which will change the admin’s username/password as well as enable the router’s remote administration interface to allow full remote control of the device across the internet.”

What now?

In an advisory detailing the CSRF and the two DoS vulnerabilities, Tenable has also detailed the efforts it went through to get TP-Link to fix them.

Unfortunately, as it seems, the latest firmware version available for the vulnerable router still sports the flaws. But, as 90 days have passed since they first contacted the company, Tenable publicly released information about their discovery.

Wells has also developed a proof of concept of the CSRF vulnerability and demonstrated its effectiveness.

“This exploit is a great example of how seemingly minor software bugs can be strung together to create a monster of a security issue. When managing and mitigating vulnerabilities in any environment, addressing even the smallest of CVE’s can be enough to remove a seemingly minor link in a devastating exploit chain,” he commented.

What can consumers that own and use the device do? Tenable advises them to contact the vendor directly for further information, perhaps in the hope that they will push the company do get a move on fixing the issues.