The TL-WDR4300 Router. Security experts in Poland have discovered a treacherous backdoor in various router models made by TP-Link. When a specially crafted URL is called, the router will respond by downloading and executing a file from the accessing computer, reports Michał Sajdak from Securitum.
The expert says that when a browser sends an HTTP GET request to
http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html, the contacted router will establish a connection back to the visitor’s IP and contact any TFTP server there. It will retrieve a file called
nart.out from the TFTP server and execute it as root. However, this normally only works within a local network; an indirect exploit such as a CSRF attack should fail because the required TFTP server must be accessible within the LAN.
The attack is carried out in four steps and only works from within the local network.
The advisory states that at least the TL-WDR4300 and TL-WR743ND models are affected; however, it often turns out later that the features in question exist on other models as well. Only the manufacturer can ultimately provide clarity – but there has been no response. Sajdak says that he has repeatedly notified TP-Link of the problem but never received a reply, and that this prompted him to publish the details. For those who are interested, the researcher has also documented how he used valid access data to establish an interactive root shell on the router, which ultimately led to the discovery of the backdoor that requires no authentication.