Full Disclosure mailing list archives
Re: Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
From: "Simon Waters (Surevine)" <simon.waters () surevine com>
Date: Mon, 28 Nov 2016 14:42:57 +0000
XSS in DHCP name has been reported on the Full Disclosure mailing list for other models of TP-Link Router before. Seems to be generic to many TP-Link models. My model has a regular line wrap to the DHCP hostname field, so you need to insert a comment into HTML or JS every N characters into any exploit code, but it is fully exploitable, and you can write arbitrary JS in that space with a little effort. The attacker would have to inject JavaScript as a DHCP hostname, exhaust the DHCP pool to encourage the admin to view the DHCP page, at which point the attacker would take control of the admin’s browser and current session using a tool such as BeEF XSS. So anyone who can get a DHCP lease from a TP-Link router can use this to obtain a reasonable chance of acquiring admin privileges on that router. That TP-Link continue to sell routers with basic security vulnerabilities like these is unimpressive, and there doesn’t seem to be an effective support channel to get these issues fixed, or updates released. Simon Waters phone +448454681066 email simon.waters () surevine com <mailto:simon.waters () surevine com> skype simon.waters.surevine <skype://simon.waters.surevine> Participate | Collaborate | Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability Vulnerability Lab (Nov 28)
- Re: Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability Simon Waters (Surevine) (Nov 28)