A zero-day bug has been uncovered in the TP-Link SR20 smart hub and home router, which would allow a local adversary to execute arbitrary commands on the device without authentication and establish a persistent backdoor for remote access.
The SR20 is an all-in-one router that can also work as an Internet of Things (IoT) hub; it supports ZigBee and Z-Wave, two popular wireless IoT standards for short-range connections to smart lights, smart outlets, the Nest thermostat, video doorbells and the like.
According to Google developer Matthew Garrett, who found and reported the flaw (with no response from TP-Link, he said), the problem lies in the TP-Link Device Debug Protocol (tddp), which runs with root privileges on many TP-Link routers.
It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)
— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) March 28, 2019
“It’s had multiple vulnerabilities in the past and the protocol is fairly well documented,” he said via tweet on Wednesday, 90 days after he informed TP-Link of the bug via the company’s official bug submission form. “Version 1 has no auth, version 2 requires the admin password. The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation. You send it a filename, a semicolon and then an argument.”
In a technical analysis, he noted that when the router receives this command, it then connects back to the requesting machine over TFTP (a file transfer protocol that requires no authentication) to validate its configuration; to do so, it requests the filename via TFTP and imports it into a LUA interpreter, which is also running with root privileges. It also “passes the argument to the config_test() function in the file it just imported,” Garrett said.
So, with a specially crafted file, it’s possible to “execute whatever you want, and you’re running as root, so victory,” he said, without authentication. He developed a proof-of-concept demonstrating the issue.
He added that the default firewall rules on the router block WAN access, so an attacker would need to be on the same local network as the router in order to be successful. This is a significant mitigation of course. A compromise would allow an attacker to infiltrate these systems if they still have default passwords, and would open the door to man-in-the-middle attacks and information exfiltration, or malware implantation on any vulnerable connected laptops and the like. However, said attacker would presumably already be able to do that with local network access in the first place.
Garrett told Threatpost via tweet that in terms of the danger to consumers, “it allows persistence – have access to the network once and you can backdoor the router to give you remote access in future.”
TP-Link did not immediately respond to a request for comment – and didn’t respond to Garrett, either.
“Anyway, stop shipping debug daemons on production firmware and if you’re going to have a webform to submit security issues then have someone actually respond to it,” Garrett tweeted.
Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.