A recent discovery has shed light on a significant vulnerability found in TP-Link’s HomeShield function, impacting a variety of their devices including the Archer, Deco, and Tapo series routers. This vulnerability, known as CVE-2024-53375, exposes a flaw in the device firmware, enabling unauthorized users to inject malicious commands.
The vulnerability is specifically located within the TP-Link routers’ firmware, particularly in functions related to executing system commands. This flaw, present in both older and current firmware versions as of November 2024, can potentially lead to Remote Code Execution (RCE) on the affected devices. The core issue stems from an improperly sanitized variable, ownerId, within TP-Link’s avira.lua file, which is then passed to the os.execute function. This vulnerability allows attackers to execute arbitrary commands with root privileges, providing them with full control over the compromised device.
To exploit this vulnerability, the attacker must first authenticate themselves, although the authentication process has been streamlined through existing exploit frameworks available online. By crafting a malicious payload that manipulates the ownerId parameter, attackers can access sensitive files such as /etc/passwd and /etc/shadow, thereby exposing user credentials. A sample code snippet used for exploitation has been provided to demonstrate the process.
A detailed technical analysis of the firmware was conducted by security researchers, involving the extraction and emulation of the firmware using tools like binwalk and qemu-arm-static. This analysis enabled researchers to identify the vulnerable code paths that lead to the misuse of the os.execute function. By navigating the firmware’s filesystem and pinpointing key vulnerability points, researchers were able to construct a proof-of-concept exploit.
In response to this vulnerability, TP-Link users are urged to update their router firmware promptly once a patch is released by the company. In the interim, users are advised to ensure all input data, such as ownerId, is properly validated and sanitized using functions like tonumber in Lua to prevent injection attacks. This incident highlights the critical importance of thorough input validation in firmware development.
While TP-Link is expected to issue a patch soon, users are encouraged to maintain vigilance and adhere to recommended security practices to safeguard their devices and personal information from potential cyber threats. By staying informed and taking proactive measures, users can enhance their defenses against malicious actors and enhance overall cybersecurity resilience.