TPLink tl-wr802n Auth bypass

The TPLink tl-wr802n version 4.0 is vulnerable to authentication bypass via altering the referrer attribute.

I did not realize that this vulnerability had been previously disclosed except that the model mentioned above was not included or known about in the initial report.  I am linking to securelayer7’s finding first so that you can read it.

http://blog.securelayer7.net/time-to-disable-tp-link-home-wifi-router/

I really wanted to like this device but I couldn’t make myself use it in a public setting.  That being said tplink was very fast in providing a beta firmware for me to try which fixed the issue with this specific model.

As this vulnerability has been covered in depth, I will just provide the request screenshots of the Authenticated, Unauthenticated, and Bypass in Burp.

Authenticated

authorizedrequest

Unauthenticated

403forbidden

Next all that is required is to add the Referer: http://192.168.0.1/mainFrame.htm to the request and you will be allowed access to most functions, again check securelayer7’s post about this as it has been tested in depth.

Bypass

auth-bypass

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s