Re: Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability

["Simon Waters (Surevine)" <simon.waters () surevine com>]

XSS in DHCP name has been reported on the Full Disclosure mailing list for other models of TP-Link Router before.

Seems to be generic to many TP-Link models.

My model has a regular line wrap to the DHCP hostname field, so you need to insert a comment into HTML or JS every N 
characters into any exploit code, but it is fully exploitable, and you can write arbitrary JS in that space with a 
little effort.

The attacker would have to inject JavaScript as a DHCP hostname, exhaust the DHCP pool to encourage the admin to view 
the DHCP page, at which point the attacker would take control of the admin’s browser and current session using a tool 
such as BeEF XSS.

So anyone who can get a DHCP lease from a TP-Link router can use this to obtain a reasonable chance of acquiring admin 
privileges on that router.

That TP-Link continue to sell routers with basic security vulnerabilities like these is unimpressive, and there doesn’t 
seem to be an effective support channel to get these issues fixed, or updates released.

Simon Waters
phone  +448454681066
email  simon.waters () surevine com <mailto:simon.waters () surevine com>
skype  simon.waters.surevine <skype://simon.waters.surevine>

Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/