Chinese router maker TP-Link is wrestling with the disclosure of a handful of vulnerabilities in its C2 and C20i routers.
The most severe of the flaws lead to remote code execution on a device; the attack, however, would require an attacker first obtain valid credentials.
Researcher Pierre Kim disclosed the issue last week in an advisory published on his Github page that also picked up by several security lists including Full Disclosure. He also said that TP-Link told him it plans to release updated firmware this month.
Kim also shared a timeline for his private disclosure to TP-Link. The Ivory Coast-based researcher said he found the flaw on Sept. 17, and disclosed on Dec. 26 and 27 via live chat and support channels. Kim said he was informed at first in the live chat that TP-Link had no vulnerability handling process and did not share a security contact. TP-Link confirmed the vulnerabilities on Jan. 9 and said updated firmware was being built. After four more interactions with TP-Link, Kim released a public advisory last week.
In addition to the remote code execution bug, Kim said he also found a vulnerability that allowed him to crash the two router models, as well as lax firewall rules that he described as “too permissive by default on the WAN interface.”
The remote code execution vulnerability, Kim said, was discovered in the router’s HTTP management interface and affects all firmware versions, including the latest (0.9.1 4.2 v0032.0, Build 160706 Rel.37961n). An attacker can exploit this flaw with a single, crafted HTTP request.
Kim said that the router’s Diagnostic page can be used to run any command, including telnetd, via the remote host field of the ping utlity.
The researcher shared a crafted request, one that requires authentication, that would start a telnetd on the router over TCP port 25. He added that an attacker could then use backticks to gain root and execute commands.
“With this RCE, an attacker will be able to dump and modify the configuration by editing /dev/mtd3,” Kim wrote in his advisory.
While authenticated, an attacker could use craft a HTTP request that will crash the routers’ remote HTTP servers, creating a denial-of-service condition.
TP-Link had a serious security issue last summer when it was learned that router maker lost control of two domains used to configure routers. The domains’ certificates expired and were resold to domain name brokers.
The domain, tplinklogin[.]net was used by TP-Link to make it easy for router owners to access configuration webpages for many of the company’s routers. The domain, tplinklogin[.]net, was displayed on back labels of router hardware and also included on official documentation of the router.
Kim said he also found weak default credentials for the routers’ implementation of the vsftpd FTP server.
“The binaries (/usr/bin/cos, /usr/bin/tmpd, /lib/libcmm.so) are overall badly designed programs, executing tons of system() and running as root,” Kim said.