What is the issue - Google security developer Matthew Garrett disclosed that a zero-day arbitrary code execution (ACE) vulnerability in TP-Link’s SR20 Smart Home Router allows attackers to execute arbitrary commands.
What is the root cause - The vulnerability arises from the issue that the TP-Link’s smart home routers frequently run a process called TDDP (TP-Link Device Debug Protocol) as root.
Why it matters - The TDDP protocol contains several other vulnerabilities.
TDDP allows running two types of commands on the router,
Worth noting - Garrett reported the issue to TP-Link but did not receive any response for 90 days. The security developer then made the vulnerability public.
“It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device),” Garrett tweeted.
More details on the vulnerability
Garrett stated that the router exposes several type 1 commands with one of the commands (command 0x1f, request 0x01) is for a type of configuration validation. This allows attackers to send a command containing a filename, a semicolon, and an argument.
“Anyway, stop shipping debug daemons on production firmware and if you're going to have a webform to submit security issues then have someone actually respond to it,” Garrett tweeted.