Treacherous backdoor found in TP-Link routers

[KIA]

Security experts in Poland have discovered a treacherous backdoor in various router models made by TP-Link. When a specially crafted URL is called, the router will respond by downloading and executing a file from the accessing computer, reports Michał Sajdak from Securitum.

The expert says that when a browser sends an HTTP GET request to http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html, the contacted router will establish a connection back to the visitor's IP and contact any TFTP server there. It will retrieve a file called nart.out from the TFTP server and execute it as root. However, this normally only works within a local network; an indirect exploit such as a CSRF attack should fail because the required TFTP server must be accessible within the LAN.

http://www.h-online.com/security/ne...ackdoor-found-in-TP-Link-routers-1822720.html

At least it isn't accessible from the WAN!

 

[ci_newman]

So not really treacherous then? A hack that is only available from the LAN, assuming that there is a TFTP server running with an appropriate file in place?

 

[KIA]

I would describe it as treacherous. Backdoors, even if they're only available on the LAN, are a big no no. Not a single response from TP-Link after 1 month, not very impressive.

Interactive root shell is also available. http://sekurak.pl/more-information-about-tp-link-backdoor/