[kwlug-disc] [kwlug-announce] Meeting Monday: OpenWRT
William Park
opengeometry at yahoo.ca
Fri Aug 15 22:34:40 EDT 2014
On Fri, Aug 15, 2014 at 10:06:11PM -0400, Khalid Baheyeldin wrote:
> On Fri, Aug 15, 2014 at 9:54 PM, Paul Gallaway <paul at gallaway.ca> wrote:
>
> > On Thu, Aug 14, 2014 at 2:05 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> > > Those who have that router can test using the proof of concept that is
> > > detailed here
> > >
> > > http://sekurak.pl/tp-link-httptftp-backdoor/
> >
> > Looking at the link, the exploit is run from:
> > http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html
> >
> > I tried testing from the LAN side and the page was not found. Just the
> > nature of how it is executed tells me that OpenWRT has completely replaced
> > it.
> >
>
> Yes, the page says a 200 is returned, but it returned a 404 for you, so we
> are half way there.
>
> The page also says: "the router downloads a file (nart.out) from the host
> which has issed the http request and executes is as root"
>
> So, do it with wget on a host that has an HTTP server, then check the HTTP
> logs to be 100% sure.
Actually, it's TFTP.
More information about the kwlug-disc
mailing list