Casa > cibernético Notícias > TP-Link SR20 Smart Home Routers Contain Zero-Day Flaw

TP-Link SR20 inteligentes Início Routers conter Zero-Day Flaw

pesquisador de segurança Google Matthew Garrett descobriu uma vulnerabilidade zero-day no. Depois que a empresa não conseguiu responder à divulgação privada, o pesquisador decidiu fazer o público falha.

TP-Link SR20 Vulnerability Technical Overview

The vulnerability is a zero-day arbitrary code execution bug. The TP-Link SR20 routers are dual-band 2.4 GHz / 5 GHz products suitable for controlling smart home and IoT devices. They also support devices that run the ZigBee and Z-Wave protocols.

Pelo visto, the researcher reported the security flaw to TP-Link privately more than 90 days ago but he received no response. Attempts to contact the company in other ways were also deemed unsuccessful:

I reported this to TP-Link in December via their security disclosure form, a process that was made difficult by theDetailed descriptionfield being limited to 500 personagens. The page informed me that I’d hear back within three business daysa couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back. Someone else’s attempt to report tddp vulnerabilities had a similar outcome, so here we are.

As for the vulnerability itself, the issue stems from a process that these routers run frequently. The process is known as “tddp”, or the TP-Link Device Debug Protocol. The process runs at root level and can initiate two types of commands. The first one doesn’t require authentication, and the second one does require it.

relacionado: [wplinkpreview url =””] CVE-2018-15702: TP-LINK TL-WR841N Router Achado vulnerabilidade.

The vulnerability exposes some type one commands. Um deles, command 0x1f, request 0x01, serves for configuration validation, as explained by Gareth.

Dumping tddp into Ghidra makes it pretty easy to find a function that calls recvfrom(), the call that copies information from a network socket. It looks at the first byte of the packet and uses this to determine which protocol is in use, and passes the packet on to a different dispatcher depending on the protocol version. For version 1, the dispatcher just looks at the second byte of the packet and calls a different function depending on its value. 0x31 is CMD_FTEST_CONFIG, and this is where things get super fun, o pesquisador escreveu.

What happens next is that this function parses the packet for a payload that contains two strings separated by a semicolon. The first string is a filename, and the second one is a configfile. It then calls tddp_execCmd(“cd /tmp; tftp -gr %s %s &”,luaFile,remote_address) which executes the tftp command in the background.

This connects back to the machine that sent the command and attempts to download a file via tftp corresponding to the filename it sent. The main tddp process waits up to 4 seconds for the file to appearonce it does, it loads the file into a Lua interpreter it initialised earlier, and calls the function config_test() with the name of the config file and the remote address as arguments.

Since config_test() is administered by the file downloaded from the remote machine, arbitrary code execution in the interpreter is allowed, which includes the os.execute method running commands on the host. Since tddp is running as root, you get arbitrary command execution as root, Gareth concluded.

A proof-of-concept code is also available for the vulnerability in TP-Link SR20 smart home routers.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar