lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <EBCAA892-4017-4783-A15F-40D0462A37FE@surevine.com>
Date: Mon, 28 Nov 2016 14:42:57 +0000
From: "Simon Waters (Surevine)" <simon.waters@...evine.com>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
 support.uk@...link.com
Subject: Re: [FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability

XSS in DHCP name has been reported on the Full Disclosure mailing list for other models of TP-Link Router before.

Seems to be generic to many TP-Link models.

My model has a regular line wrap to the DHCP hostname field, so you need to insert a comment into HTML or JS every N characters into any exploit code, but it is fully exploitable, and you can write arbitrary JS in that space with a little effort.

The attacker would have to inject JavaScript as a DHCP hostname, exhaust the DHCP pool to encourage the admin to view the DHCP page, at which point the attacker would take control of the admin’s browser and current session using a tool such as BeEF XSS.

So anyone who can get a DHCP lease from a TP-Link router can use this to obtain a reasonable chance of acquiring admin privileges on that router.

That TP-Link continue to sell routers with basic security vulnerabilities like these is unimpressive, and there doesn’t seem to be an effective support channel to get these issues fixed, or updates released.

Simon Waters
phone  +448454681066
email  simon.waters@...evine.com <mailto:simon.waters@...evine.com>
skype  simon.waters.surevine <skype://simon.waters.surevine>

Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ