Details of VAR-E-201609-0022

ID

VAR-E-201609-0022

EDB ID

40432

TITLE

TP-Link Archer CR-700 - Cross-Site Scripting - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 40432

DESCRIPTION

TP-Link Archer CR-700 - Cross-Site Scripting.. webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 40432

AFFECTED PRODUCTS

vendor:

tp link

model:

archer cr-700

scope:

version:

Trust: 1.6

sources: EXPLOIT-DB: 40432 // EDBNET: 87906

EXPLOIT

# Exploit Title: TP-Link Archer CR-700 XSS vulnerability
# Google Dork: N/A
# Date: 09/07/2016
# Exploit Author: Ayushman Dutta
# Vendor Homepage: http://www.tp-link.us/
# Software Link: N/A
# Version: 1.0.6 (REQUIRED)
# Tested on: Linux
# CVE : N/A
#Exploit Information:
https://github.com/ayushman4/TP-Link-Archer-CR-700-XSS-Exploit/blob/master/README.md

TP-Link-Archer-CR-700-XSS-Exploit

Exploiting TP-Link Archer CR-700 Router. (Responsibly Disclosed to TP-Link)

Step 1-> On you linux machine (Kali or Ubuntu) type the following command

gedit /etc/dhcp/dhclient.conf

Comment out the line below
send host-name = gethostname();

Copy it to the line below it and change the gethostname() function to an XSS script like below.

send host-name = "<script>alert(5)</script>";

Step 2:Restart your linux system so that the changes takes into effect.

Step 3: Send a DHCP request to the router to receive an IP address with the command below.(Try this on any open network routers which is using TP-Link Archer CR-700)

dhclient -v -i wlan0

On running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script>

Step 4: Login to the administrator console.

On logging in the Script executes.

One more issue that I saw in the router that was that there was no CSRF token. The cookie set by the router contains a base64 encoded username & password whcih can be stolen using an XSS script.

Note:All The above information has been disclosed to TP-Link, who have reporduced the problem and passed it to their R&D team to fix the issue.

A URL to the product https://www.amazon.com/Wireless-Certified-Cablevision-Archer-CR700/dp/B012I96J3W

Trust: 1.0

sources: EXPLOIT-DB: 40432

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 40432

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 40432

TYPE

Cross-Site Scripting

Trust: 1.6

sources: EXPLOIT-DB: 40432 // EDBNET: 87906

CREDITS

Ayushman Dutta

Trust: 0.6

sources: EXPLOIT-DB: 40432

EXTERNAL IDS

db:	EXPLOIT-DB	id:	40432	Trust: 1.6
db:	EDBNET	id:	87906	Trust: 0.6

sources: EXPLOIT-DB: 40432 // EDBNET: 87906

REFERENCES

url:

https://www.exploit-db.com/exploits/40432/

Trust: 0.6

sources: EDBNET: 87906

SOURCES

db:	EXPLOIT-DB	id:	40432
db:	EDBNET	id:	87906

LAST UPDATE DATE

2022-07-27T09:15:18.577000+00:00

SOURCES RELEASE DATE

db:	EXPLOIT-DB	id:	40432	date:	2016-09-27T00:00:00
db:	EDBNET	id:	87906	date:	2016-09-27T00:00:00