[German]Security advice for owners of the TP-Link routers TL-WR841N and TL-WR841ND. Both models have security vulnerabilities, making the devices vulnerable to brute force and and cross-site request forgery attacks..
The information can be found on seclists.org since the end of May 2018. Vulnerable models are TP-Link TL-WR841N and TL-WR841ND, with firmware version 3.16.9 build 151216. all other (earlier) versions must also be vulnerable. Both models have brute force and cross-site request forgery vulnerabilities in TP-Link TL-WR841N and TL-WR841ND.
Brute Force (WASC-11)
The web interface can be accessed via the IP address 192.168.0.1. However, there is no protection against brute force attacks (BF). Normally, access to this web interface from the Internet is not possible, you can only determine a password via the LAN using a brute force attack. But a Cross-Site Request Forgery (CSRF) attack can execute a remote attack.
Cross-Site Request Forgery (WASC-09)
You can disable Internet access in the Remote Control section of the router. The relevant URLs for disabling via the Internet are:
http: //192.168.0.1 /YVNLOORCJBATZQDB/userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=1
and to switch on access via the Internet:
http: //192.168.0.1 /YVNLOORCJBATZQDB/userRpm/ManageControlRpm.htm?port=80&ip=255.255.255.255&Save=1
To bypass the protection it is necessary to set the referer header and path (YVNLOORCJBATZQDB in the above URLs). However, this changes with each login to the admin panel. However, this path can be found by information leaks, social engineering or XSS vulnerabilities in the admin panel. Eugene Dokukin described the whole thing in his blog (cyrillic). The firmware does not seem to have been updated yet. On the TP-Link page here is the current firmware version of February 24, 2018.
Cookies helps to fund this blog: Cookie settings