close
close

A vulnerability in the TP-Link Archer C5400X router allows attackers to hack devices

Posted on by darion

Hackers often target routers as gateways that connect devices and networks to the Internet.

Additionally, they are lucrative targets for cybercriminals because they are often overlooked for security updates and patches.

Cybersecurity researchers at OneKey recently discovered that a flaw in the TP-Link Archer C5400X router allows attackers to remotely hack devices.

Technical analysis

Zero-day identification by researchers revealed multiple firmware vulnerabilities, including:-

  • Command injection
  • Format the string in the shell
  • Buffer overflow

These findings, as well as others from vendors such as Cisco, were revealed after rigorous testing and validation of the researchers’ corpus of firmware, which provided significant analytical results.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The TP-Link Archer C5400X rftest file, which tests the wireless system interface, contains a network detector that can be attacked by anyone on TCP ports 8888-8890 without logging in.

Security researchers say this issue could give them more privileges than the device owner.

However, TP-Link provided an actual exposure analysis as running and showing the binary is not always the same.

The root cause of the command injection was reading user-controlled input from the TCP port 8888 socket.

The TP-Link router’s /etc/init.d/wireless script executes a /sbin/wifi init at boot time, which imports /lib/wifi/tplink_brcm.sh and runs a tree of function calls that culminates in the run of /usr/sbin/rftest.

Chain Attack (Soure – OneKey)

This rftest binary propagates user-controlled input from TCP port 8888 to popen() calls, allowing command injection if the input contains “wl” or starts with “nvram” and contains “get”.

Cybersecurity researchers have identified the root cause of an insecure data propagation vulnerability within rftest.

The TP-Link C5400X in rftest binary format runs a TCP server on port 8888, which accepts commands with the prefix “wl” or “nvram get”.

However, this can be overcome by omitting shell metacharacters such as “;”, “&”, and “|” which lead to command injection.

The test showed that remote code execution was successful by connecting to port 8888 and entering the identity command.

TP-Link has fixed this vulnerability in version 1_1.1.7, which users are encouraged to update via the router’s update feature.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers