TP-Link’s SR20 Smart Home Router is affected by zero-day arbitrary code execution (ACE) vulnerability, enabling potential attackers to perform arbitrary commands in that same network as Google security developer Matthew Garrett revealed on Twitter.
Garrett disclosed that ACE 0-day after TP-Link failed to respond within 90 days of its report and, as explained in the Twitter thread, zero-day results from the fact that “TP-Link routers often run a process called” tddp “as a root which has previously been detected to contain much other vulnerability.
TDDP enables two types of commands to be executed on a single device: type 1 without authentication and type 2 which requests the credentials of the administrator. According to Garret, the vulnerable router has a number of type 1 commands, one of them — 0x1f, request 0x01 — “seems to be some kind of configuration validation,” which allows potential attackers to send commands that include a filename, a semicolon, and an argument for initiating the exploitation process.
It’s been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)
— Matthew Garrett (@mjg59) 28 March 2019
This will send the specially crafted request to the machine via Trivial File Transfer Protocol (TFTP) to the TP-Link router. The smart hub SR20, which is connected to the potential attacker, “calls for the filename via TFTP, imports it into a LUA interpreter and transfers the argument to the config test function in the just-imported file.
The interpreter runs as a root” and the os.execute) (method will then allow unauthenticated attackers to execute any command they like as root, leading to a full takeover of the attacker’s computer. Proof of concept is also available while the tddp-daemon is intended to listen to all traffic on all interfaces; the default firewall rules on SR20 routers block attackers from exploiting a non-local area network (LAN) vulnerability from the device.
Garret closes by saying that the TP-Link “shipping debug daemon to production firmware should cease, and if you have a web form to submit security problems, then someone will actually do it.”
The Google developer also created a proof-of-concept (PoC) which was shared publicly when the zero-day was revealed. The last firmware update released for the SR20 Smart Home Router is June 2018, removing WPS from the WEB UI of the router, fixing bugs on some Smart Actions, and adding support for a number of TP-Link Smart Wifi devices.