Zero-Day Vulnerability found in TP-Link Smart SR20 Routers
Google security engineer Matthew Garrett found Remote Code Execution vulnerability as root from the local Network on TP-Link Sr20 Routers.
Garrett reported to Tp-Link 90 days ago, but they doesn’t get any respond back. So he publicly disclosure its Zero day vulnerability with Proof of concept (POC).
He wrote the script to execute any command you choose on device with root privilege without authentication to TP-Link smart routers.
It’s been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)
— Matthew Garrett (@mjg59) March 28, 2019
The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.
“The os.execute() method allows you to execute whatever you want, and you’re running as root, so victory. tddp is listening on all interfaces but the default firewall rules block WAN access, so this is local network only.”, Garrett said.
“The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation. You send it a filename, a semicolon and then an argument.”
“TP-Link routers frequently run a process called “tddp” (TP-Link Device Debug Protocol) as root. It’s had multiple vulnerabilities in the past and the protocol is fairly well documented. Version 1 has no auth, version 2 requires the admin password.”
The companies should have to be serious for researcher submission, as we have seen that many of the companies who offer Bug Bounty program, they ignore the researchers or said the submission was duplicate.
Research by- Matthre Garrett is a mobile and firmware developer on Linux. Security developer at Google.