Google Dev uncovers TP-Link SR20 router Zero-day vulnerability

Google security expert Matthew Garrett discloses Zero-day arbitrary code execution vulnerability after 90-day silence from TP-Link

Arbitrary code execution 0-day vulnerability was disclosed by Google security researcher after TP-Link failed to respond to the initial report after 90 days

TP-Link's SR20 Smart Home Router is affected by Zero-day vulnerability that would allow hackers arbitrary command execution (ACE)^[1] from a local network connection. Security developer from Google, Matthew Garrett, recently disclosed the flaw on Twitter,^[2] when TP-Link failed to respond within 90 days after the initial report. The proof-of-concept^[3] 38-line script was published on Pastebin.^[4]

According to Garrett, the flaw is related to the “TDDP” process that contained multiple well-document vulnerabilities in the past:

TP-Link routers frequently run a process called “tddp” (TP-Link Device Debug Protocol) as root. It's had multiple vulnerabilities in the past and the protocol is fairly well documented. Version 1 has no auth, version 2 requires the admin password.

Version 1 does not require any type of identification to be connected to, while type 2 requires credentials to be accessed to. The researcher said that version one is still being used by TP-Link's All-in-one SR20 Smart Home Router.

IoT vulnerabilities are nothing new. Late last year, UPnP-enabled IoT devices were discovered to be vulnerable to cyber attacks due to a five-year-old-vulnerability that affected devices produced by D-Link, ZTE, and TP-Link.^[5]

While developers are patching some flaws, some are utterly ignored, as this case proves. Unfortunately, Zero-days that affect IoT devices can render users vulnerable to all sorts of information stealing and further malware infections.

A potential ACE vulnerability attack scheme

According to security expert Matthew Garrett, one of the type 1 commands used belongs to configuration validation purposes. This process would allow hackers to send a filename, a semicolon, and an argument, which would be the initial attack vectors.

The researcher explains further:

The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.
The os.execute() method allows you to execute whatever you want, and you're running as root, so victory. tddp is listening on all interfaces but the default firewall rules block WAN access, so this is local network only.

The vulnerability can only be exploited via local area network

While the discovered vulnerability is a Zero-day, it needs to meet special conditions in order to be exploited. The TDDP process is designed to listen to all interfaces, the installed Firewall would prevent any intrusion from the outside networks. Therefore, only local area network (LAN) connected-devices could be abused in order to be able to abuse this flaw.

Security researcher does not hide his disappointment due to such response (or rather, no response) delay on his Twitter post:

Anyway, stop shipping debug daemons on production firmware and if you're going to have a webform to submit security issues then have someone actually respond to it.

Indeed, computer networking manufacturers should take more responsibility for patching Zero-day vulnerabilities, especially when they are handed them for fixing.