Some TP-Link routers vulnerable to exploit found in the wild

by Mark Tyson on 1 November 2013, 12:25

Tags: TP-LINK

Quick Link: HEXUS.net/qab4pf

Add to My Vault: x

Several TP-Link routers have been found to be vulnerable to webpage based DNS hijacking attacks. Worryingly the researcher who uncovered information about this vulnerability, Jacob Lell, has also found “an active exploitation campaign,” aimed at the affected TP-Link routers. Meanwhile TP-Link has released updated firmware for some but not all of its affected networking hardware.

We have seen many router exploits before, however this newly reported TP-Link exploit looks more immediately serious as Mr Lell has found “five different instances of the exploit on unrelated websites so far”. An automated client honeypot system set up by Lell generated “some 280 GB of web traffic”. The five unrelated instances of the exploit he found tried to change the primary nameserver to three different IP addresses.

What cybercriminals want to do with this exploit is not exactly known at this time by Lell. During the short time he looked at this vulnerability he judged that it is “possible that the infected routers are used for targeted attacks against a limited number of websites”.

How the vulnerability is exploited

The affected TP-Link routers have something called a CSRF vulnerability. These routers allow access to their web-based administration page using HTTP authentication. “When entering the credentials to access the web interface, the browser typically asks the user whether he wants to permanently store the password in the browser. However, even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explains Lell.

If a user then visits a compromised site, like one of the five discovered so far, the site attempts to “change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” says Lell.

After that DNS change web addresses typed in by the user can be easily redirected to phishing sites and similar places you wouldn’t ordinarilty want to visit. Also, among many other consequences, software updates can be blocked and email accounts hijacked.

Affected devices and recommendations

The following devices are confirmed to be vulnerable:

  • TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405 is vulnerable (version 3.3.13 build 130325 and later is not vulnerable)
  • TP-Link TL-MR3020: firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n are vulnerable (but not affected by current exploit in default configuration)
  • TL-WDR3600: firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n are vulnerable (but not affected by current exploit in default configuration)
  • WR710N v1: 3.14.9 Build 130419 Rel.58371n is not vulnerable
  • Some other untested devices are also likely to be vulnerable

Lell helpfully provides a step-by-step method for people to check to see if their router could be exploited by the newly discovered vulnerability (near the bottom of his article). Meanwhile if you have an affected router it is recommended that you change the default login/password, opt not to save that info in the browser, open a new browser before logging into your router, then restart your browser after finishing your administrative fiddling.



HEXUS Forums :: 4 Comments

Login with Forum Account

Don't have an account? Register today!
I use some TP-Link routers, but use DD-WRT on them. I'm guessing this means mine aren't vulnerable
lol TP-Link… I once had a batch of their routers that had wireless issues (I worked for an ISP and we would give the routers away for free), I called their support and they told me to put tin foil over all the aerials as a fix! Never again.
Throw come credit their way - they do make some brilliant value switches and routers and they actually do have a support line that does work.
What manufacturer hasn't had wireless issues? in fact, I still see compatibilities between certain devices and Sonicwall and Aruba access points……

As for TPLink, I think most software has an exploit and they become prevalent when a device becomes popular, how quickly they fix it is the most important thing and it seems there are already new firmwares that fix it………