3. TP-LINK SR20
TP-LINK SR20
▸ All-In-One SR20 Smart Home
Router and Hub
▸ Was found an Zero-day attack by
Matthew Garrett
▸ TP-Link routers frequently run a
process called "TDDP" (TP-Link
Device Debug Protocol)
!3
5. TP-LINK DEVICE DEBUG PROTOCOL
TDDP
▸ TDDP is a simple protocol to be used for debugging.
▸ TDDP uses UDP and 1040 port to send the packet.
▸ TDDP has two versions.
▸ Version 2 is authenticated and requires password.
▸ While Version 1 can run as root without any verification.
▸ This is why we find the interesting things here.
!5
7. ZERO-DAY ATTACK
TDDP IN TP-LINK SR20
▸ TP-Link SR20 runs the version 1 of TDDP, however, it
doesn’t need any verification.
▸ TP-Link SR20 sends the packet to the 1040 port.
▸ TP-Link SR20 will download the file from TFTP when the
packet’s second byte is 0x31.
▸ This may causes the Arbitrary Code Execution.
!7