TP-Link Archer C5400X Router Flaw Allows Remote Hacking

Home/Internet Security, Remote code execution, Security Advisory, Security Update, vulnerability/TP-Link Archer C5400X Router Flaw Allows Remote Hacking

TP-Link Archer C5400X Router Flaw Allows Remote Hacking

Hackers frequently target routers, the gateways connecting devices and networks to the internet, because they are often neglected for security updates.

Cybersecurity researchers at OneKey recently discovered a flaw in the TP-Link Archer C5400X router that allows attackers to hack devices remotely.

TP-Link Archer C5400X Router Flaw

Researchers identified multiple zero-day vulnerabilities in the firmware, including command injection, format string in shell, and buffer overflows. These findings, alongside others from vendors like Cisco, were disclosed after rigorous testing and validation on the researchers’ firmware corpus, ensuring meaningful analysis results.

The TP-Link Archer C5400X’s rftest file, which tests the wireless system interface, has a network listener vulnerable to attacks on TCP ports 8888-8890 without requiring login.

Security analysts warn that this flaw could grant attackers higher privileges than the device owner.

However, TP-Link has conducted an exposure analysis, noting that running and demonstrating the binary is not always equivalent to real-world exploitation.

The root cause of the command injection vulnerability was reading user-controlled input from the TCP port 8888 socket.

During boot, the TP-Link router’s /etc/init.d/wireless script runs /sbin/wifi init, which imports /lib/wifi/ and eventually calls /usr/sbin/rftest.

Soure – OneKey

The rftest binary propagates user-controlled input from TCP port 8888 into popen() calls, enabling command injection if the input contains “wl” or starts with “nvram” and includes “get”.

Cybersecurity analysts identified the root cause of this vulnerability as insecure data propagation within rftest. The TP-Link C5400X’s rftest binary launches a TCP server on port 8888 that accepts commands prefixed with “wl” or “nvram get.”

This can be mitigated by excluding shell metacharacters like “;”, “&”, and “|” that lead to command injection. Testing showed that remote code execution was possible via a connection to port 8888 and injecting a crafted command.

TP-Link has fixed this vulnerability in version, which users are encouraged to install through the router’s upgrade feature.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!