TP-Link Archer routers allow remote takeover without passwords

TP-Link has addressed a critical vulnerability impacting some TP-Link Archer routers that could allow attackers to login without passwords.

TP-Link addressed a critical zero-day vulnerability (CVE-2017-7405) in its TP-Link Archer routers that could be exploited by attackers to remotely take their control over LAN via a Telnet connection without authentication.

“This is a zero-day flaw that was not previously reported and can affect both home and business environments.” explained IBM X-Force Red‘s Grzegorz Wypych (aka @horac341). “If exploited, this router vulnerability can allow a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN).”

The flaw could allow unauthorized third-party access to the router with admin privileges without proper authentication.

The flaw could be triggered by an attacker by sending an HTTP request containing a string longer than the expected string length, causing the password to get completely voided and replaced by an empty value. 

The expert explained that the Common Gateway Interface (CGI) validation is only based on the referrer’s HTTP headers. This means that if it matches the IP address or the domain associated with tplinkwifi.net, then the router’s main service, HTTPD, will recognize it as valid.

Since TP-Link Archer routers only implement admin user type with root privileges, and all processes run as root, an attacker could operate as admin and take full control over the device.

The attackers could also lock out legitimate users that will be no more able to log in to the web service of the device.

“In such an event, the victim could lose access to the console and even a shell, and thereby would not be able to re-establish a new password.” continues the post. “Even if there was a way to set a new password, the next vulnerable LAN/WAN/CGI request would, once again, void the password. The only access would, therefore, be FTP files via a USB port connection.”

The experts also pointed out that the RSA encryption key would fail since it is not designed to work with an empty password.

“The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactics.” the expert concludes.

TP-Link has already addressed the flaw with the release of the following security patches for Archer C5 V4, Archer MR200v4, Archer MR6400v4, and Archer MR400v3 routers:

Firmware for Archer C5 V4:

https://static.tp-link.com/2019/201909/20190917/Archer_C5v4190815.rar

Archer MR200v4:

https://static.tp-link.com/2019/201909/20190903/Archer%20MR200(EU)_V4_20190730.zip

Archer MR6400v4:

https://static.tp-link.com/2019/201908/20190826/Archer%20MR6400(EU)_V4_20190730.zip

Archer MR400v3:

https://static.tp-link.com/2019/201908/20190826/Archer%20MR400

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TP-Link Archer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]