module
TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution
| Disclosed | Created |
|---|---|
| 03/25/2020 | 04/15/2020 |
Disclosed
03/25/2020
Created
04/15/2020
Description
This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on
the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does
not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command
as root, including downloading and executing a binary from another host.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
This module was updated in November 2020, after a bypass was discovered for the patch TP-Link issued. The new
injection technique works on older firmware too. All firmware versions up to (but excluding) releases 201029 and
201030 are exploitable.
the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does
not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command
as root, including downloading and executing a binary from another host.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
This module was updated in November 2020, after a bypass was discovered for the patch TP-Link issued. The new
injection technique works on older firmware too. All firmware versions up to (but excluding) releases 201029 and
201030 are exploitable.
Authors
Pedro Ribeiro Radek Domanski @RabbitPro>
Platform
Linux
Architectures
mipsbe
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/misc/tplink_archer_a7_c7_lan_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.