Researcher reveals arbitrary command execution on the TP-Link SR20 smart hub and router

This week, researchers at Google’s security lab fully disclosed the security vulnerabilities in the TP-Link SR20 home smart router. This vulnerability allows anyone to execute any command with the highest privilege of the system without password authentication, but fortunately, this vulnerability can only be performed locally and cannot be triggered remotely.

It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) March 28, 2019

Now, this vulnerability was not fixed or released by the release of a new version of the firmware. The details of the vulnerability were disclosed for 90 days by Google.

Researchers say that TP-Link routers frequently run a process called “tddp” (TP-Link Device Debug Protocol) as root” which has been previously found to contain multiple other vulnerabilities. The latest discovered vulnerability is also located in this debugging protocol. Users only need to send a file name plus a semicolon and parameters to import it into the interpreter. The interpreter itself runs with the highest authority, so the attacker can theoretically execute any command, including performing various malicious operations.

The Google developer also created a proof-of-concept (PoC) for this vulnerability.