Hackers often target routers as the gateways that connect devices and networks to the internet.

Besides this, they are lucrative targets for threat actors since they are often overlooked regarding security updates and patches.

Cybersecurity researchers at OneKey recently discovered that the TP-Link Archer C5400X router flaw enables attackers to hack devices remotely.

Technical Analysis

The zero-day identification by researchers feature uncovered multiple vulnerabilities across firmware, including:-

Command injection

Format string in shell

Buffer overflows

These findings, along with others from vendors like Cisco, were disclosed after rigorous testing and validation on researchers’ firmware corpus, ensuring meaningful analysis results.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

TP-Link Archer C5400X’s rftest file that tests the interface of a wireless system, has a network listener that can be attacked by anyone on TCP ports 8888-8890 without logging in. 

Security analysts say this problem could give them higher authority than the device owner. 

However, the TP-Link has submitted an actual exposure analysis since running and showing the binary is not always the same. 

The root cause for command injection was reading user-controlled input from the TCP port 8888 socket.

The TP-Link router’s /etc/init.d/wireless script executes /sbin/wifi init on boot, which imports /lib/wifi/tplink_brcm.sh and triggers a function call tree culminating in /usr/sbin/rftest launch. 

Attack chain (Soure – OneKey)

This rftest binary propagates user-controlled input from TCP port 8888 into popen() calls, enabling command injection if the input contains “wl” or starts with “nvram” and contains “get”. 

The root cause of the vulnerability to this insecure data propagation within rftest has been identified by cybersecurity analysts.

C5400X TP-Link by rftest binary launches server TCP on port 8888 that accepts commands with prefix of “wl” or “nvram get.”

However, this can be overcome by omitting shell metacharacters like “;”, “&”, and “|” that lead to command injection.

The test revealed that remote code execution was successful through a connection to port 8888 and the injection of an identity command.

TP-Link has fixed this vulnerability in version 1_1.1.7, which users are encouraged to upgrade to via the router’s upgrade feature.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers