TP-Link's SR20 Smart Home Router is impacted by a zero-day arbitrary code execution (ACE) vulnerability which allows potential attackers on the same network to execute arbitrary commands as disclosed on Twitter by Google security developer Matthew Garrett.
Garrett disclosed the ACE 0-day after TP-Link did not provide a response during the 90 days since his report and, as he explained in the
Twitter thread, the zero-day stems from the fact that "TP-Link routers frequently run a process called "tddp" (TP-Link Device Debug Protocol) as root" which has been previously found to contain multiple other vulnerabilities [
1,
2].
TDDP allows running two types of commands on the device: type 1 which do not require authentication and type 2 which ask for administrator credentials.
...
...
Zero-day allows attackers to execute arbitrary code as root
As detailed by Garret, the vulnerable router exposes a number of type 1 commands, with one of them—command 0x1f, request 0x01—"appears to be for some sort of configuration validation," allowing would-be attackers to send a command containing a filename, a semicolon, and an argument to initiate the exploitation process.
...