Hackers frequently target routers, the gateways connecting devices and networks to the internet, because they are often neglected for security updates.
Cybersecurity researchers at OneKey recently discovered a flaw in the TP-Link Archer C5400X router that allows attackers to hack devices remotely.
TP-Link Archer C5400X Router Flaw
Researchers identified multiple zero-day vulnerabilities in the firmware, including command injection, format string in shell, and buffer overflows. These findings, alongside others from vendors like Cisco, were disclosed after rigorous testing and validation on the researchers’ firmware corpus, ensuring meaningful analysis results.
The TP-Link Archer C5400X’s rftest file, which tests the wireless system interface, has a network listener vulnerable to attacks on TCP ports 8888-8890 without requiring login.
Security analysts warn that this flaw could grant attackers higher privileges than the device owner.
However, TP-Link has conducted an exposure analysis, noting that running and demonstrating the binary is not always equivalent to real-world exploitation.
The root cause of the command injection vulnerability was reading user-controlled input from the TCP port 8888 socket.
During boot, the TP-Link router’s /etc/init.d/wireless script runs /sbin/wifi init, which imports /lib/wifi/tplink_brcm.sh and eventually calls /usr/sbin/rftest.
The rftest binary propagates user-controlled input from TCP port 8888 into popen() calls, enabling command injection if the input contains “wl” or starts with “nvram” and includes “get”.
Cybersecurity analysts identified the root cause of this vulnerability as insecure data propagation within rftest. The TP-Link C5400X’s rftest binary launches a TCP server on port 8888 that accepts commands prefixed with “wl” or “nvram get.”
This can be mitigated by excluding shell metacharacters like “;”, “&”, and “|” that lead to command injection. Testing showed that remote code execution was possible via a connection to port 8888 and injecting a crafted command.
TP-Link has fixed this vulnerability in version 1.1.1.7, which users are encouraged to install through the router’s upgrade feature.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment