Re: Tenda, Dlink & Tplink TD-W8961ND – DHCP XSS Vulnerability

fulldisclosure logo
Full Disclosure
mailing list archives

Re: Tenda, Dlink & Tplink TD-W8961ND – DHCP XSS Vulnerability

From: “Simon Waters (Surevine)” <simon.waters () surevine com>

Date: Mon, 28 Nov 2016 14:42:57 +0000

XSS in DHCP name has been reported on the Full Disclosure mailing list for other models of TP-Link Router before.

Seems to be generic to many TP-Link models.

My model has a regular line wrap to the DHCP hostname field, so you need to insert a comment into HTML or JS every N 
characters into any exploit code, but it is fully exploitable, and you can write arbitrary JS in that space with a 
little effort.

The attacker would have to inject JavaScript as a DHCP hostname, exhaust the DHCP pool to encourage the admin to view 
the DHCP page, at which point the attacker would take control of the admin’s browser and current session using a tool 
such as BeEF XSS.

So anyone who can get a DHCP lease from a TP-Link router can use this to obtain a reasonable chance of acquiring admin 
privileges on that router.

That TP-Link continue to sell routers with basic security vulnerabilities like these is unimpressive, and there doesn’t 
seem to be an effective support channel to get these issues fixed, or updates released.

Simon Waters
phone  +448454681066
email  simon.waters () surevine com <mailto:simon.waters () surevine com>
skype  simon.waters.surevine <skype://simon.waters.surevine>

Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

  By Date  
  By Thread  

Current thread:

Source: Full Disclosure @ November 28, 2016 at 01:49PM