Multiple cross-site request forgery (CSRF) vulnerabilities on the TP-LINK WR1043N router with firmware TL-WR1043ND_V1_120405 allow remote attackers to hijack the authentication of administrators for requests
* TP-LINK WR1043N router with firmware TL-WR1043ND_V1_120405
The TP-LINK WR1043N router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, traverses the /tmp filesystem of the WR1043N and makes it an FTP share, and enables Internet access to the router's FTP server.Like most susceptible routers, it is possible to enable remote management using CSRF against the WR1043N. However, this is not useful to an attacker, because it is not possible to reset the administrative credentials to the WR1043N without knowing the previous username and password. Instead, ISE combined cross-site request forgery, the Internet-accessible FTP server's access to the /tmp directory, and a race condition between the web interface's writing of a shell script and executing it, to obtain root shell access to the router.