TRENDnet Shell

Added: 06/24/2014

Background

TRENDnet routers are vulnerable to a range of SQL injection, command injection, and buffer overflow vulnerabilities. Current supported devices include:

TEW-654TR - Remote Root Shell

TEW-732BR - Remote Root Shell

Problem

A SQL injection vulnerability allows the attacker to elevate privileges from anonymous to administrator. With the administrative access the attcker is able to access the ping.cgi which is vulnerable to a command injection. A busybox shell is spawned on the specified port.

Limitations

The root shell can be accessed from the Connections tab. The 'File Upload' functionality does not function due to the limitations of the BusyBox shell.

Try the following commands in the interactive shell

echo "select * from user;" < /tmp/selectuser.txt ;sqlite3 /etc/rt.db < /tmp/selectuser.txt

echo "select * from user;" < /tmp/selectuser.txt ;sqlite3 /etc/apc.db < /tmp/selectuser.txt

echo "select * from user;" < /tmp/selectuser.txt ;sqlite3 /etc/ap.db < /tmp/selectuser.txt

echo "select * from wpa_settings;" < /tmp/selectwpakey.txt ;sqlite3 /etc/rt.db < /tmp/selectwpakey.txt

cat /etc/shadow

Resolution

Update the firmware.

Platforms

BusyBox

Back to exploit index