what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TP-Link Cross Site Scripting

TP-Link Cross Site Scripting
Posted Mar 26, 2021
Authored by Kaustubh G. Padwad, Smriti Gaba

Multiple TP-Link devices suffer from an unauthenticated persistent cross site scripting vulnerability. Affected models include TD-W9977, TL-WA801ND, TL-WA801N, TL-WR802N, and Archer-C3150.

tags | exploit, xss
advisories | CVE-2021-3275
SHA-256 | e35e1937104dc66eacb185dee5eb8adeeab2b99d9f05fd8364987d6dd5a729bd

TP-Link Cross Site Scripting

Change Mirror Download
==============================================================
Unauthenticated Stored Cross-site Scripting in Multiple TP-Link Devices
==============================================================

Overview
========

Title:- Unauthenticated Stored Cross-site Scripting in TP-Link Devices.
CVE-ID :- CVE-2021-3275
Author: Smriti Gaba, Kaustubh Padwad
Vendor: TP-LINK (https://www.tp-link.com)
Products:
1. DSL and DSL Gateway
2. Access Points
3. WIFI Routers


Tested Version: : Multiple versions of DSL & DSL Gateway, WIFI Routers and
Access Points including:

-------------------------------------------------------------------------------
Model | Firmware Version
|
-------------------------------------------------------------------------------
TD-W9977 |
TD-W9977v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15 |
TL-WA801ND | TL-WA801NDv5_US_0.9.1_3.16_up_boot[170905-rel56404]
|
TL-WA801N | TL-WA801Nv6_EU_0.9.1_3.16_up_boot[200116-rel61815]
|
TL-WR802N | TL-WR802Nv4_US_0.9.1_3.17_up_boot[200421-rel38950]
|
Archer-C3150 | ArcherC3150(US)_V2_170926)
|
-------------------------------------------------------------------------------

Severity: Med-High

About the Product:
==================

* The (products from above list) are high performance WIFI
Routers(Wireless AC routers), Access Points, ADSL + DSL Gateways and
Routers.
* Provides Configuration modes: Access Point mode, Router Mode, Range
Extender mode.
* Provide Ethernet and other interfaces to meet the access requirements of
different devices.
* It can provide high-performance functionalities, services for home users,
individual users, and businesses.
* Supports multiple functionalities including CWMP management, TR069
Configuration, SNMP management, Traffic statistics, etc.

Description:
============
An issue was discovered, common to all the TP-Link products including WIFI
Routers(Wireless AC routers), Access Points, ADSL + DSL Gateways and
Routers.
This affected TD-W9977v1,TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, Archer
C3150v2 devices.
A malicious XSS payload if injected in hostname of Wireless Client devices
connected to TP-Link device, allows remote attackers to execute
unauthenticated malicious scripts because of improper validation of
hostname. Some of the pages including dhcp.htm, networkMap.htm,
dhcpClient.htm, qsEdit.htm, qsReview.htm and others use this vulnerable
hostname function(setDefaultHostname()) without sanitization and push the
value of hostname ($defaulthostname) directly to the ACT stack along with
other parameters. The ACT stack is called on for multiple operation ids
covering LAN, WAN and while intialisation of multiple tables (arp, dhcp,
client list) across the device. For example, ACT_SET stack for WAN_IP_CONN
is called while dhcp operation, during which value of vulnerable
defaulthostname is being assigned to parameter X_TP_Hostname and pushed to
stack.
This causes XSS at all the endpoints which display hostname for example:
Wireless client information table, ARP bind table such as networkMap, DHCP.


Additional Information
========================
The hostname value is only validated on ASCII characters, while there is no
validation for Non-ASCII characters which allows hostname with XSS payload
say "<script>alert('XSS')</script>" to execute.
This value of hostname is pushed to an array as plain text along with IP
address and MAC address in initClientListTable() function, and other tables
use the same value of hostname accross the device. This array is then
returned to the callback function which in turn is called from proxy.js.
This data is pushed to stack corresponding to operation:"LAN_HOST_ENTRY"
(vary for different firmware), operation id: "gl" (gl is getList function).
As client initiates request with operation id:"LAN_HOST_ENTRY" and oid:
"gl", $dm.getList and $.act is called which fetches the corresponding stack
and sends data to ajax call. The crafted value of hostname is sent to the
device and results in execution of payload.


[Affected Component]
hostName parameter inside different htm pages including DHCP, DhcpAP,
ArpBind, networkMap.

------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true

------------------------------------------
[Attack Vectors]
Malicious payload execution on initiating request for Wireless Client List
table or DHCP html page.

[Vulnerability Type]
====================
Stored Cross-site Scripting

How to Reproduce: (POC):
========================

1. Change the default hostname of wireless client by using following
command (for Linux):
a. vi /etc/dhcp/dhclient.conf
b. Insert and change the value of hostname to xss payload
"<script>alert('XSS')</script>"
2. Renew IP address by sending DHCP request to TP-Link device via
following command:
a. vi /etc/network/interfaces
b. Add these lines:
auto wlan0
iface wlan0 inet dhcp
c. On Terminal run command: ifup wlan0
3. Login to the router web interface, navigate to DHCP settings or
Wireless Client tab.
4. As soon as DHCP or Wireless client table is requested Xss payload
executes and pops up alert box.

Mitigation
==========

---------------------------------------------------------------------------------------------------------
| Model | Firmware Version
| Mitigation Comments |
---------------------------------------------------------------------------------------------------------
| TL-WA801ND | TL-WA801NDv5_US_0.9.1_3.16_up_boot[170905-rel56404]
| Patched |
| TL-WA801N | TL-WA801Nv6_EU_0.9.1_3.16_up_boot[200116-rel61815]
| Patched |
| TL-WR802N | TL-WR802Nv4_US_0.9.1_3.17_up_boot[200421-rel38950]
| Patched |
| Archer-C3150 | ArcherC3150(US)_V2_170926)
| EOL Product |
| TD-W9977 |
TD-W9977v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15 | EOL Product
|
---------------------------------------------------------------------------------------------------------

Link for patched software version for products:
1. TL-WA801ND -
https://tp-link.com/beta/2021/202101/20210120/TL-WA801NDv5_US_0.9.1_3.16_up_boot[210119-rel61453].zip
2. TL-WA801N -
https://tp-link.com/beta/2021/202101/20210120/TL-WA801Nv6_EU_0.9.1_3.16_up_boot[210119-rel62190].zip
3. TL-WR802N -
https://tp-link.com/beta/2021/202101/20210120/TL-WR802Nv4_US_0.9.1_3.17_up_boot[210119-rel63071].zip

[Vendor of Product]
TP-LINK (https://www.tp-link.com)

Disclosure Timeline:
===================
24-July-2020 Discoverd the vulnerability
11-Aug-2020 Responsibly disclosed vulnerability to vendor
15-Aug-2020 Vendor Acknowledged the disclosure
17-Nov-2020 Communicated with vendor after 90 days for updates
19-Nov-2020 Vendor asked for model and version details
20-Nov-2020 Provided the required details to vendor
25-Nov-2020 Vendor provided software build to verify the issue
9-Dec-2020 Issue not fixed in the provided software.
4-Jan-2021 Asked Updates on the status of the issue.
20-Jan-2021 Vendor provided software build to verify the issue.
20-Jan-2021 Issue found fixed in the provided software.
21-Jan-2021 Requested for CVE-ID assignment
25-March-2021 CVE-ID Assigned.

credits:
========

* Smriti Gaba
* Security Researcher
* smritigaba548@gmail.com
* https://www.linkedin.com/in/smriti-gaba-658795135/

* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close