Expert found a critical RCE zero-day in TP-Link Wi-Fi Extenders

A zero-day vulnerability affects multiple models of TP-Link Wi-Fi extenders, it could be exploited to remotely execute code.

Security expert Grzegorz Wypych from IBM X-Force found a zero-day flaw that affects multiple models of TP-Link Wi-Fi extenders.

The Wi-Fi extenders capture the Wi-Fi signal from the main network device and rebroadcast it to areas where the signal is weak.

The vulnerability discovered by the expert could be exploited to remotely execute code on vulnerable devices and get complete control over the device and command it with the same privileges of the device’s legitimate user.

“As part of a recent series of vulnerabilities discovered in home routers, IBM X-Force researcher Grzegorz Wypych discovered a zero-day flaw in a TP-Link Wi-Fi extender.” reads the advisory published by IBM. “If exploited, this remote code execution (RCE) vulnerability can allow arbitrary command execution via a malformed user agent field in HTTP headers.”

The RCE flaw affects TP-Link Wi-Fi Extender models RE365, RE650, RE350 and RE500 running firmware version 1.0.2, build 20180213.

The flaw could be exploited by an unauthenticated remote attacker, the attack doesn’t require privilege escalation since all processes on the vulnerable devices already run with root-level access.

The extender operates on the MIPS architecture, like many routers, the zero-day flaw can be triggered

TP-Link’s Wi-Fi extenders operate on MIPS architecture and the vulnerability can be triggered by sending a malformed HTTP request.

The HTTP request that can allow the execution of any shell command on the targeted RE365 Wi-Fi extender.

“The following image shows an open telnet session from a fully compromised device. After connecting to TCP port 4444 we were able to obtain root level shell on the Wi-Fi extender without any privilege escalation, with all processes running as root.” continues the analysis.

“The sort of impact one can expect from such unauthenticated access is, for example, requesting the device to browse to a botnet command and control server or an infection zone,”

The experts warn of the risks of massive attacks on IoT devices carried out thought Mirai-like bots.

TP-Link already released security patches to address the zero-day flaw, the vendor published separated updates for each of the impacted models of Wi-Fi extenders (RE365, RE500, RE650, RE350).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TP-Link Wi-Fi extenders, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.