By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

TP-Link's SR20 Smart Home Router is impacted by a zero-day arbitrary code execution (ACE) vulnerability which allows potential attackers on the same network to execute arbitrary commands as disclosed on Twitter by Google security developer Matthew Garrett. Garrett disclosed the ACE 0-day after TP-Link did not provide a response during the 90 days since his report and, as he explained in the Twitter thread, the zero-day stems from the fact that "TP-Link routers frequently run a process called "tddp" (TP-Link Device Debug Protocol) as root" which has been previously found to contain multiple other vulnerabilities. TDDP allows running two types of commands on the device: type 1 which do not require authentication and type 2 which ask for administrator credentials. As detailed by Garret, the vulnerable router exposes a number of type 1 commands, with one of them—command 0x1f, request 0x01—"appears to be for some sort of configuration validation," allowing would-be attackers to send a command containing a filename, a semicolon, and an argument to initiate the exploitation process. This will instruct the TP-Link router to the machine sending the specially crafted request over Trivial File Transfer Protocol (TFTP). Once connected to the potential attacker's machine, the SR20 smart hub "requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root." Next, the os.execute() method will allow unauthenticated attackers to execute any command they want as root, leading to a full take over of any compromised TP-Link SR20 devices. For more visit OUR FORUM.

 

GTranslate