TP-Link Router Bug Lets Attackers Login Without Passwords

There is a critical vulnerability found in the TP-Link which impacts its archer routers. Exploiting the vulnerability, attackers can void the password of admin access and take charge of the devices remotely through LAN (Local Area Network) with the help of a Telnet connection. Legitimate users will no longer be able to access web services because the password is unacceptable.

“If exploited, this router vulnerability can allow a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN),” as per IBM X-Force Red’s Grzegorz Wypych written on his Twitter handle.

Attackers can exploit this security flaw by sending an HTTP request which contains a character longer than the standard number of bytes. Consequently, the password of the user is completely void and changed with a blank value.

TP-Link has embedded validation still attackers manage to void the password. This is because the system only checks the HTTP headers of the referrer. This enables the attacker to trick the router’s httpd service to intimate the request as valid. Attackers use the hardcoded value.

Full Router Takeover

Such routers are used only by ‘Admin’ access who has the complete root permissions. So, once the attackers bypass the authentication process, they get the privilege to gain administrator permission.

“All processes are run by the user under this access level, which can allow an attacker to operate as admin and take over the device. Not only can attackers attain privileged access, but the legitimate user can also be locked out and would no longer be able to log in to the web service through the user interface since that page would no longer accept any passwords (unbeknownst to the user),” Wypych adds. “In such an event, the victim could lose access to the console and even a shell, and thereby would not be able to re-establish a new password.”

The issue will even prevail when the admin owner changes the password and set the new one. Attackers will be able to void the new password also using another LAN/WAN/CGI network. Moreover, RSA encryption keys will also fail, because they can’t work if the password field is blank.

This flaw is considered critical since it can grant unauthorized third-party access to the router with admin privileges, which are the default on this device for all users, without proper authentication taking place,” Wypych further explains.

“The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactics.”

Security Patches are Available

TP-Link immediately released the security patches to help the customers and protect the routers from attackers. To download the security patches available for the Archer C5 V4, Archer MR200v4, Archer MR6400v4, and Archer MR400v3 routers.



Please enter your comment!
Please enter your name here