Security

This article is more than 1 year old

TP-Link 'smart' router proves to be anything but smart – just like its maker: Zero-day vuln dropped after silence

Google security engineer emits SR20 PoC exploit after manufacturer fails to respond

Thu 28 Mar 2019 // 19:40 UTC

TP-Link's all-in-one SR20 Smart Home Router allows arbitrary command execution from a local network connection, according to a Google security researcher.

On Wednesday, 90 days after he informed TP-Link of the issue and received no response, Matthew Garrett, a well-known Google security engineer and open-source contributor, disclosed a proof-of-concept exploit to demonstrate a vulnerability affecting TP-Link's router.

The 38-line script shows that you can execute any command you choose on the device with root privileges, without authentication. The SR20 was announced in 2016.

Via Twitter, Garrett explained that TP-Link hardware often incorporates TDDP, the TP-Link Device Debug Protocol, which has had multiple vulnerabilities in the past. Among them, version 1 did not require a password.

Huawei's half-arsed router patching left kit open to botnets

"The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation," he said. "You send it a filename, a semicolon and then an argument."

Once it receives the command, says Garrett, the router responds to the requesting machine via TFTP, asks for the filename, imports it to a Lua interpreter, running as root, and sends the argument to the config_test() function within the imported file.

The Lua os.execute() method passes a command to be executed by an operating system shell. And since the interpreter is running as root, Garret explains, you have arbitrary command execution.

However, while TDDP listens on all interfaces, the default firewall prevents network access, says Garrett. This makes the issue less of a concern that remote code execution flaws identified in TP-Link 1GbE VPN routers in November.

Even so, vulnerability to a local attack could be exploited if an attacker manages to get a malicious download onto a machine connected to an SR20 router.

TP-Link did not immediately respond to a request for comment.

Garrett concluded his disclosure by urging TP-Link to provide a way to report security flaws and not to ship debug daemons on production firmware. ®

Topics

Special Features

Vendor Voice

Resources

Security

TP-Link 'smart' router proves to be anything but smart – just like its maker: Zero-day vuln dropped after silence

Google security engineer emits SR20 PoC exploit after manufacturer fails to respond

Huawei's half-arsed router patching left kit open to botnets

More about

More about

Narrower topics

More about

More about

More about

Narrower topics

TIP US OFF

Other stories you might like

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

Ex-CEO of 'unicorn' app startup HeadSpin heads to jail after BS'ing investors

Cisco creates architecture to improve security and sell you new switches

Protecting distributed branch office environments from ransomware

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Microsoft really does not want Windows 11 running on ancient PCs

Sleuths who cracked Zodiac Killer's cipher thank the crowd

Rust developers at Google are twice as productive as C++ teams

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

IT consultant-cum-developer in court over hiding COVID-19 loan

US Air Force says AI-controlled F-16 fighter jet has been dogfighting with humans

About Us

Our Websites

Your Privacy