TL-WDR4300-New.jpg-232b8ee8e338a2a4
The TL-WDR4300 Router. Security experts in Poland have discovered a treacherous backdoor in various router models made by TP-Link. When a specially crafted URL is called, the router will respond by downloading and executing a file from the accessing computer, reports Michał Sajdak from Securitum.

The expert says that when a browser sends an HTTP GET request to http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html, the contacted router will establish a connection back to the visitor’s IP and contact any TFTP server there. It will retrieve a file called nart.out from the TFTP server and execute it as root. However, this normally only works within a local network; an indirect exploit such as a CSRF attack should fail because the required TFTP server must be accessible within the LAN.

a09477fcfa22d9a3
The attack is carried out in four steps and only works from within the local network. Zoom
Source: sekurak.pl

The advisory states that at least the TL-WDR4300 and TL-WR743ND models are affected; however, it often turns out later that the features in question exist on other models as well. Only the manufacturer can ultimately provide clarity – but there has been no response. Sajdak says that he has repeatedly notified TP-Link of the problem but never received a reply, and that this prompted him to publish the details. For those who are interested, the researcher has also documented how he used valid access data to establish an interactive root shell on the router, which ultimately led to the discovery of the backdoor that requires no authentication.

Joseph Forbes (691)

Information Technology Consultant. For SMB, SOHO, and Online business. From Computers to Telecommunications this guy has been into it since hippies made it hip. Drone Pilot and Tech Aficionado I get to travel the State of Texas to help businesses succeed.