TPLink tl-wr802n Auth bypass

The TPLink tl-wr802n version 4.0 is vulnerable to authentication bypass via altering the referrer attribute.

I did not realize that this vulnerability had been previously disclosed except that the model mentioned above was not included or known about in the initial report.  I am linking to securelayer7’s finding first so that you can read it.

http://blog.securelayer7.net/time-to-disable-tp-link-home-wifi-router/

I really wanted to like this device but I couldn’t make myself use it in a public setting.  That being said tplink was very fast in providing a beta firmware for me to try which fixed the issue with this specific model.

As this vulnerability has been covered in depth, I will just provide the request screenshots of the Authenticated, Unauthenticated, and Bypass in Burp.

Authenticated

authorizedrequest

Unauthenticated

403forbidden

Next all that is required is to add the Referer: http://192.168.0.1/mainFrame.htm to the request and you will be allowed access to most functions, again check securelayer7’s post about this as it has been tested in depth.

Bypass

auth-bypass

HP R110 Wireless 11n VPN AM Router Credential exposure.

I had recently purchased a HP R110 Wireless 11n VPN AM Router (Product No: J9974A).

223867

I had noticed that it by default communicates via http instead of https, the reason this is an issue is that every single request the user sends after logging in is sent with the login and password in  get/post requests to the router.

img_20181206_181635.jpg

I apologize for the bad “screenshot” phone camera photo.

The ‘username=admin; password=admin’  shows up in every request after login.  I used the default credentials in this example so that i didn’t give my own away.
This might not seem like a big deal but anyone sniffing the network could obtain these credentials.