Google security researcher Matthew Garrett has found that an unpatched weakness in the TP-Link SR20 smart hub and router can be exploited to attain random command execution.

The problem, which was also likely to affect other TP-Link devices, was found in the “TDDP” (TP-Link Device Debug Protocol) process, which are frequently run by TP-Link routers as root. Although version 1 is unauthenticated, version 2 of the protocol requires admin password on the router.

What the researcher revealed was that the router still exposes some version 1 commands, including one for configuration validation.

“You send it a filename, a semicolon and then an argument,” the researcher explains on Twitter.

Garrett also notes that the router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported.

The researcher went on to say that an invader could influence the os.execute() technique to perform arbitrary code with root privileges, since the interpreter is running as root.

Since the default firewall rules on the SR20 routers block WAN access, the susceptibility can only be exploited through the local network, he adds.

Although Garret found the weakness last year and reported it to TP-Link in December, he received no response from the company. Therefore, not only did he decide to make the vulnerability public, he also published proof-of-concept code exploiting the virus.

“Stop shipping debug daemons on production firmware and if you’re going to have a webform to submit security issues then have someone actually respond to it,” Garrett pointed out on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *