TP-Link Fixes Code Execution Vulnerability in End of Life Routers | Threatpost
Router manufacturer TP-Link recently fixed a vulnerability in a discontinued line of routers that if exploited could have been used to execute code on the device.
Researchers at Senrio, a firm that specializes in IoT security, uncovered a logic vulnerability in a configuration service present in TP-Link’s PTWR841N V8 router models.
Researchers with the firm discovered a similar vulnerability, last summer, that also affected a smart device’s configuration service. That issue, a faulty software component in more than 100 models of D-Link WiFi cameras, exposed the devices to remote attacks.
Through the logic flaw in the routers, researchers were able to reset the device’s credentials and from there, gain code execution via a stack overflow vulnerability in the service.
Members of the company’s security team agreed to remove the configuration service from the model, even though it was discontinued, after Senrio researchers brought the issue to their attention.
While researchers with Senrio applauded the company for its move, they warned Monday that it’s likely many of the router’s owners aren’t running the latest, patched version of hardware. Judging from numbers on Shodan, at least 93,328 of the routers are in use, worldwide, the researchers cautioned.
Until they were fixed, the vulnerabilities could have been exploited via a smartphone’s hotspot capability via a proximity attack, something that would have involved sending a number of commands to the target device, researchers say.
The configuration service allowed a user on the network to read and write system settings, researchers said Monday. Any arguments to commands had to be encrypted with a key based on the username and password. Since the researchers could retrieve the encrypted version of text from this configuration service, they determined they could copy it and send it back to the router as an argument. The researchers set the name of a smartphone to the signature, turned on the hotspot capability, and sent a command to look for nearby hotspots. Before doing so, the researchers added the word “init” to the end of the phone’s signature to make it stand out.
“We knew we would find the encrypted version of ‘init’ in the 8 characters following the signature in our entry,” the researchers wrote. “This allowed us to use the encrypted ‘init’ as an argument to a command that reset the router to its default settings, including the credentials to the default username and password.”
Once in, they used the aforementioned stack overflow to gain code execution and as a neat visual, used their code to blink a light on the router to say “Hi Senrio” in morse code.
A video demonstrating the attack can be seen accompanying a blog post published by the researchers around the vulnerability on Monday.
It’s possible, as research published by Ben-Gurion University demonstrated last week, an attacker could leverage the router’s blinking lights to exfiltrate data. Researchers with the Israeli university said they were able to extract 8000 bits of data per second using a router with eight LED lights.
An attacker could also use vulnerability to modify the router’s settings to reroute traffic to a malicious server, the researchers say.