It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)

TP-Link routers frequently run a process called "tddp" (TP-Link Device Debug Protocol) as root. It's had multiple vulnerabilities in the past and the protocol is fairly well documented. Version 1 has no auth, version 2 requires the admin password.

The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation. You send it a filename, a semicolon and then an argument.

The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.

The os.execute() method allows you to execute whatever you want, and you're running as root, so victory. tddp is listening on all interfaces but the default firewall rules block WAN access, so this is local network only.

Anyway, stop shipping debug daemons on production firmware and if you're going to have a webform to submit security issues then have someone actually respond to it.

PoC at pastebin.com/GAzccR95

(Successfully tested this using qemu-user-arm to run tddp on my laptop, which makes debugging stuff a *lot* easier)

Oh yeah bother I was probably supposed to put a copyright header on that

Bother, misread my notes - command 0x31, not command 0x1f.

Blogged about the TP-Link SR20 vulnerability at mjg59.dreamwidth.org/51672.html, which reminded me that @CoreSecurity had the same experience when they reported TDDP flaws: coresecurity.com/advisories/tp-…