According to Google security researcher Matthew Garrett, TP-Link's SR20 Smart Home Router comes with a vulnerability that allows arbitrary command execution from a local network connection. This exploit was disclosed by the researcher after he was unable to solicit a response from TP-Link, and even published a proof-of-concept to demonstrate the vulnerability. The router, which was launched in 2016, exposes a number of commands that come with root privileges and does not even require authentication. Garrett disclosed the proof-of-concept, after waiting for the Google Project Zero team's 90-day deadline for disclosure to elapse.
Garrett took to Twitter to explain that the TP Link SR20 Smart Home Router comes with TDDP (TP-Link Device Debug Protocol), which is affected with several vulnerabilities, and one of them is that version 1 commands are exposed for attackers to exploit.
He says that these exposed commands allow attackers to send a command containing a filename, a semicolon, to execute the process. “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialised earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test() is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on the blog.
This process allows for full takeover of the SR20 router. Garett says he reported to TP-Link of this vulnerability in December, via its security disclosure form. The page told him that he would get a response within three days, but hasn't heard back from them till date. He also said that he tweeted at TP-Link regarding the matter, but that garnered no response either.
He ends by suggesting to the company, “Don't default to running debug daemons on production firmware”, and, “If you're going to have a security disclosure form, read it.”