Path traversal in TP-LINK WR740 and possibly othersPath traversal in TP-LINK WR740 and possibly others
Summary
TP-Link WR740 routers are vulnerable to a path traversal vulnerability on the web administration interface. Unauthenticated users are able to read any file from the device.
Description
| Models: | WR740N, WR740ND and possibly others. Update: People have been reporting on forums that models WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N are also based on the same HTTP daemon but we haven't been able to test it ourselves. |
| Firmware: | 3.12.11 Build 111130 Rel.55312n and possibly others |
| Date: | 26/05/2012 |
| Severity: | High |
| Impact: | Disclosure of configuration and password files. |
| Attack vector: | Remote. No auth required. |
| Solution: | N/A |
The router TP-Link WR740ND/WR740N has a HTTP server running on port 80 handling the web management interface.
There exists a path traversal vulnerability in the URI "/help" that allows attackers to read any file including configurations.
It is possible to read other configuration files if the services have been configured previously. (No-IP, DyDNS, Samba, NFS)
POC
After further research we discovered that the URL was posted before on some russian forum, but not mentioned as a vulnerability and specifying another model.
Paulino Calderón
calderon()websec.mx
YOUTUBE
TWITTER
FACEBOOK
BLOG
EMAIL US