TRENDnet Shell

2014-06-24T00:00:00
ID SAINT:2CBFD18E4F2A539231445376AE469CFB
Type saint
Reporter SAINT Corporation
Modified 2014-06-24T00:00:00

Description

Added: 06/24/2014

Background

TRENDnet routers are vulnerable to a range of SQL injection, command injection, and buffer overflow vulnerabilities. Current supported devices include:

TEW-654TR - Remote Root Shell TEW-732BR - Remote Root Shell

Problem

A SQL injection vulnerability allows the attacker to elevate privileges from anonymous to administrator. With the administrative access the attcker is able to access the ping.cgi which is vulnerable to a command injection. A busybox shell is spawned on the specified port.

Limitations

The root shell can be accessed from the Connections tab. The 'File Upload' functionality does not function due to the limitations of the BusyBox shell.

Try the following commands in the interactive shell

echo "select * from user;" &lt /tmp/selectuser.txt ;sqlite3 /etc/rt.db < /tmp/selectuser.txt echo "select * from user;" &lt /tmp/selectuser.txt ;sqlite3 /etc/apc.db < /tmp/selectuser.txt echo "select * from user;" &lt /tmp/selectuser.txt ;sqlite3 /etc/ap.db < /tmp/selectuser.txt echo "select * from wpa_settings;" &lt /tmp/selectwpakey.txt ;sqlite3 /etc/rt.db < /tmp/selectwpakey.txt cat /etc/shadow

Resolution

Update the firmware.

Platforms

BusyBox