• Home
  • Laptops
  • Laptops News
  • TP Link SR20 Router Vulnerability Disclosed by Google Researcher After No Response From Company

TP-Link SR20 Router Vulnerability Disclosed by Google Researcher After No Response From Company

Share on Facebook Tweet Share Reddit Comment
TP-Link SR20 Router Vulnerability Disclosed by Google Researcher After No Response From Company

TP-Link vulnerability exposes type 1 commands for attackers to exploit

Highlights
  • Google researcher told TP-Link of this issue in December
  • He got no response from the company, his tweet was also ignored
  • He then published the TP-Link SR20 router vulnerability online

According to Google security researcher Matthew Garrett, TP-Link's SR20 Smart Home Router comes with a vulnerability that allows arbitrary command execution from a local network connection. This exploit was disclosed by the researcher after he was unable to solicit a response from TP-Link, and even published a proof-of-concept to demonstrate the vulnerability. The router, which was launched in 2016, exposes a number of commands that come with root privileges and does not even require authentication. Garrett disclosed the proof-of-concept, after waiting for the Google Project Zero team's 90-day deadline for disclosure to elapse.

Garrett took to Twitter to explain that the TP Link SR20 Smart Home Router comes with TDDP (TP-Link Device Debug Protocol), which is affected with several vulnerabilities, and one of them is that version 1 commands are exposed for attackers to exploit.

He says that these exposed commands allow attackers to send a command containing a filename, a semicolon, to execute the process. “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialised earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test() is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on the blog.

This process allows for full takeover of the SR20 router. Garett says he reported to TP-Link of this vulnerability in December, via its security disclosure form. The page told him that he would get a response within three days, but hasn't heard back from them till date. He also said that he tweeted at TP-Link regarding the matter, but that garnered no response either.

He ends by suggesting to the company, “Don't default to running debug daemons on production firmware”, and, “If you're going to have a security disclosure form, read it.”

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: TP LInk, TP Link SR20 Router, Google
Tasneem Akolawala When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She binges on movies, sitcoms, food, books, and DIY videos. More
Samsung Galaxy S10, Galaxy S10+, Galaxy S10e to Receive 25W Fast Charging Support via OTA Update Next Month: Report
Ola Rolls Out Cab Service in 3 More UK Cities - Birmingham, Liverpool, Reading
 
 

Advertisement

 

Advertisement