TP-Link’s SR20 Router impacted by zero-day ACE vulnerability

• The vulnerability arises from the issue that the TP-Link’s smart home routers frequently run a process called TDDP (TP-Link Device Debug Protocol) as root.
• TDDP allows running two types of commands on the router. The first type of command does not require any authentication and the second type of command asks for administrator credentials.

What is the issue - Google security developer Matthew Garrett disclosed that a zero-day arbitrary code execution (ACE) vulnerability in TP-Link’s SR20 Smart Home Router allows attackers to execute arbitrary commands.

What is the root cause - The vulnerability arises from the issue that the TP-Link’s smart home routers frequently run a process called TDDP (TP-Link Device Debug Protocol) as root.

Why it matters - The TDDP protocol contains several other vulnerabilities.

TDDP allows running two types of commands on the router,

• The first type of command does not require any authentication.
• The type 2 command asks for administrator credentials.

Worth noting - Garrett reported the issue to TP-Link but did not receive any response for 90 days. The security developer then made the vulnerability public.

“It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device),” Garrett tweeted.

More details on the vulnerability

Garrett stated that the router exposes several type 1 commands with one of the commands (command 0x1f, request 0x01) is for a type of configuration validation. This allows attackers to send a command containing a filename, a semicolon, and an argument.

• The router then connects back to the requesting system over TFTP and requests the filename via TFTP.
• It then imports into a LUA interpreter, which is running as root and passes the argument to the config_test() function in the file it just imported.
• Then, the os.execute() method will allow attackers to execute any command they want as root, leading to a full take over of any compromised TP-Link SR20 devices.

“Anyway, stop shipping debug daemons on production firmware and if you're going to have a webform to submit security issues then have someone actually respond to it,” Garrett tweeted.