TP-Link's
SR20 Smart Home Router is recently discovered to come with a vulnerability
allowing arbitrary command execution from a local network connection as per a
Google security researcher Matthew Garrett. The router, launched in 2016,
uncovered various commands that come with root privileges and do not even
require validation.
The
endeavor was uncovered by the researcher after he was unable to request a
reaction from TP-Link, and even published a proof-of-concept to exhibit the
said weakness.
Garrett
took to twitter to clarify that the TP Link SR20 Smart Home Router accompanying
TDDP (TP- Device Debug Protocol), which is influenced with a few
vulnerabilities, and one of them is that version 1 commands are 'exposed' for
attackers to exploit.
He says
that these uncovered directions enable aggressors to send an order containing a
filename, a semicolon, to execute the procedure.
“This connects back to the machine that sent
the command and attempts to download a file via TFTP (Trivial File Transfer
Protocol) corresponding to the filename it sent. The main TDDP process waits up
to four seconds for the file to appear - once it does, it loads the file into a
Lua interpreter it initialized earlier, and calls the function config_test()
with the name of the config file and the remote address as arguments. Since
config_test () is provided by the file that was downloaded from the remote
machine, this gives arbitrary code execution in the interpreter, which includes
the os.execute method which just runs commands on the host. Since TDDP is
running as root, you get arbitrary command execution as root,” he explains on
his blog.
In spite of
the fact that Garrett says he reported to TP-Link of this vulnerability in
December, by means of its security disclosure form, the page disclosed to him
that he would get a reaction within three days, however hasn't heard back from
them till date. He additionally said that he tweeted at TP-Link with respect to
the issue, yet that gathered no reaction either.
