Zero-Day Vulnerability in TP-Link Smart Routers [POC]

TP-Link Smart Router
TP-Link Smart Router

Zero-Day Vulnerability found in TP-Link Smart SR20 Routers

Google security engineer Matthew Garrett found Remote Code Execution vulnerability as root from the local Network on TP-Link Sr20 Routers.

Garrett reported to Tp-Link 90 days ago, but they doesn’t get any respond back. So he publicly disclosure its Zero day vulnerability with Proof of concept (POC).

He wrote the script to execute any command you choose on device with root privilege without authentication to TP-Link smart routers.

The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.

“The os.execute() method allows you to execute whatever you want, and you’re running as root, so victory. tddp is listening on all interfaces but the default firewall rules block WAN access, so this is local network only.”, Garrett said.

“The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation. You send it a filename, a semicolon and then an argument.”

“TP-Link routers frequently run a process called “tddp” (TP-Link Device Debug Protocol) as root. It’s had multiple vulnerabilities in the past and the protocol is fairly well documented. Version 1 has no auth, version 2 requires the admin password.”

The companies should have to be serious for researcher submission, as we have seen that many of the companies who offer Bug Bounty program, they ignore the researchers or said the submission was duplicate.

Research by-
Matthre Garrett is a mobile and firmware developer on Linux. Security developer at Google.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Millions of Panama Citizens Database Breached- Including National ID Number

Panama Citizens Database Breached caused by unsecured Elasticsearch server. The Panama citizens...
Read More

Leave a Reply