Ancient TP-Link Backdoor Discovered by Attackers, (Sun, Nov 17th)
SANS Internet Storm Center, InfoCON: green 2024-11-17
There are so many vulnerabilities in commonly used routers that attackers often leave many easily exploited vulnerabilities untouched, as they already have plenty of vulnerabilities to exploit.
Looking today at our "First Seen URL" page, I noticed this odd URL:
/userRpmNatDebugRpm26525557/start_art.html
The URL is very "specific" in including a number, and at first, I suspected a web shell placed by an attacker. But turns out, this backdoor comes (came?) preinstalled in many TP-Link routers.
One reason that this has not been exploited more so far is likely the fact that the original discovery was published in a bit an obscure place [https://sekurak.pl/tp-link-httptftp-backdoor/] and didn't include a lot of details, other than run-through showing how to exploit the vulnerability.
The issue was originally discovered over ten years ago. It is not clear if it was ever patched. The discoverer of the vulnerability does indicate that they (after some false starts) made contact with TP-Link. There appears to be no CVE number assigned to the vulnerability.
Another reason this backdoor is a bit more difficult to exploit than other vulnerabilities is the need for a TFTP server. As explained in the blog post above, sending a request to the URL initiates a tftp request from the router to the IP address sending the request. The tftp request will retrieve a file, "nart.out". The file will alter be executed.
I just hope TP-Link has fixed the issue after 12 years, and vulnerable routers are either no longer operational after such a long time or have been patched (or at least secured to the point that the admin web page is not accessible from the internet).
--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.