

Backdoor in the TP-Link routers - conductor
http://sekurak.pl/tp-link-httptftp-backdoor/

======
networked
TP-Link TL-WDR4300 can run OpenWrt [1], a highly modular Linux distribution
meant primarily for routers. If you have one of those routers and you're at
all familiar with Linux should really consider upgrading to OpenWrt. Once
you've got the web UI set up administering it becomes very similar to
configuring "normal" routers.

Unfortunately, stock firmware that comes with a lot routers has just been no
good even if it lacked gaping security holes like this. Fortunately, there are
community-developed FOSS alternatives that offer a better user experience; I
imagine that having more eyes on the source also helps their security. I use
TomatoUSB [2] on my main router (Asus RT-N66U) and OpenWrt on the
"experimental" one (TP-Link TL-MR3020) and can highly recommend both
distributions.

[1] <http://wiki.openwrt.org/toh/tp-link/tl-wdr4300>

[2] <http://tomatousb.org/>

~~~
dwang
I like Gargoyle firmware, which is based on OpenWrt. It has a simpler
interface with QoS ready to go. The experimental version 1.5.9 has CoDel built
in. So far the router seems to be handling VoIP better than the Asus RT-N16
running Shibby's TomatoUSB firmware.

<https://www.gargoyle-router.com>

~~~
sbirarda
Been using Gargoyle on my WDR4300 for about a month.

Was turned off by the look at the beginning after coming from DD-WRT, but I'm
really happy with it so far - especially after getting QoS setup.

------
dazzawazza
This is why I keep a pfSense router between my LAN/DMZ and any consumer or
telco boxes. It's just not worth the risk.

TP-Link make money by selling fast cheap boxes. They cut corners on the
firmware and testing.

Other manufacturers may be more expensive but I don't trust they aren't also
cutting corners.

------
mvip
The major vuln aside -- are they seriously running Apache the router?
"/usr/bin/httpd" sure looks to me like Apache (but could of course be
anything). Heard of Nginx or Lighttpd (or countless other lightweight web
servers)?

~~~
nodata
Why care? If it runs, it runs.

~~~
mvip
Yes, until it runs out of memory and you need to reboot it.

~~~
xentronium
Why should it run out of memory?

~~~
mvip
It's Apache. It's what it does best.

~~~
xentronium
Computers aren't magic. Apache httpd isn't magic. The only reason it can run
out of memory is misconfiguration.

~~~
mvip
Who said anything about magic? Apache's default config is crappy and it's a
bloated web server. It will bring down any VPS to swap of death unless you
lower MaxClient etc with even moderate amount of traffic.

More modern web servers (and more lightweight) don't have that problem. They
work for most configuration out-of-the-box ( _and_ perform better).

I don't know how Apache is configured on this particular router, but I can
spot ten httptd-processes in on the process listing. So yes, Apache is likely
both a bad choice to start with and beyond that, it is also poorly configured.

------
conductor
Related (root shell with hardcoded credentials):
<http://websec.ca/advisories/view/root-shell-tplink-wdr740>

~~~
dschulz

        Firmware Version: 3.12.4 Build 100910 Rel.57694n
        Hardware Version: WR741N v1/v2 00000000
    

it works :-/

------
Glyptodon
My RT-N16 died just past warranty - something with the power; it'd only power
on maybe 1 out of 25 times of sticking the adapter plug in. :/ Until that
happened I'd been quite a fan and it ran custom firmware quite contentedly.

Currently I'm running a Netgear Centria WNDR4700 (it was a freebie for various
reasons) and it has the lovely habit of storing user names and passwords in
plain text (file share user names and passwords are displayed in plain text,
and they're always the same as login names and passwords so far as I can
tell). Unfortunately I'm not aware of any custom firmwares for it. :(

I have a TP-LINK TL-WDR3500 buried in my closet. I hadn't realized it might
work with custom firmware. The physical ports being 10/100 would still be
annoying, but it might be worth looking into flashing it. Glad I saw this
post. =)

------
subway
I know it really isn't relevant to the vulnerability, but it bugs the crap out
of me to see somebody running commands as root when they don't need to... Does
this bother anyone else?

~~~
rytis
It doesn't bother me. Sometimes it's just more convenient not having to type
sudo with every command. Especially if it's a throw away VM/host that you're
experimenting with. YMMV.

------
newman314
Also, newer builds of openwrt and cero have CoDel built in which should help
address bufferbloat.

------
wlk
I just ordered this router knowing about this backdoor. I'm planning to
install OpenWrt as soon as it arrives, which I recommend to anyone, as it was
pointed in other comments.

------
felixfurtak
I wonder if this is limited to LAN side or WAN. WAN would be very worrying
indeed.

~~~
lunixbochs
You need access to the HTTP server to hit that URL, which means it won't work
over LAN unless you enabled remote management. Don't enable remote management
on your router :)

