Hackers Target TP-Link Vulnerability to Gain Full System Control

Hackers exploit a vulnerability in TP-Link routers, specifically the TL-WR845N model, to gain full control over the system.

This exploit allows unauthorized users to access the root shell credentials, giving them unrestricted access to manipulate and control the router.

Here is a summary of the affected product and how the vulnerability can be exploited:

Affected Product Details

Product Information	Details
Manufacturer	TP-Link
Model	TL-WR845N
Firmware Versions Affected	TL-WR845N(UN)_V4_190219, TL-WR845N(UN)_V4_200909, TL-WR845N(UN)_V4_201214
Vulnerability Exploited	Weak root shell credentials

The vulnerability allows hackers to extract the root shell credentials from the router’s firmware.

The firmware can be obtained either by physically accessing the router’s SPI Flash memory or by downloading it from TP-Link’s official website.

Once extracted, tools such as binwalk or FirmAudit can be used to analyze the firmware and extract files.

The root password is stored in MD5 hash format in the squashfs-root/etc/passwd and squashfs-root/etc/passwd.bak files.

This hashed password can be easily cracked using tools like hashcat or John the Ripper to reveal the password as “1234.” The username, “admin,” is stored in plain text.

Steps to Exploit the Vulnerability

1. Obtain Firmware: Get the firmware either through SPI Flash memory or download from the official website.
2. Extract Files: Use tools like binwalk to extract files from the firmware. Command: $ binwalk -e firmware.bin
3. Access Credentials: Go to the squashfs-root/etc directory and find the passwd and passwd.bak files.
4. Reveal Credentials: Use commands like $ cat passwd or $ cat passwd.bak to view the username and hashed password.
5. Crack Password: Use tools like hashcat or John the Ripper to crack the MD5 hashed password, which reveals as “1234.”
6. Validate Credentials: Use UART port communication to validate the credentials by entering the login command and providing the username and password.

This vulnerability poses significant risks as it allows malicious actors to gain full control over the router, potentially leading to unauthorized access, data theft, and even the spread of malware.

Recommendations:

• Users are advised to update their firmware as soon as an updated version is available.
• Implement robust security practices, such as using strong passwords and enabling WPA3 encryption.
• Regularly monitor router activity for suspicious behavior.

This exploit highlights the importance of regularly updating router firmware and maintaining strong security protocols in networks.

Users should remain vigilant and adopt best practices to protect their devices from similar vulnerabilities.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.