Critical remote execution flaw lurks in TP-Link Wi-Fi Extenders

Grzegorz Wypychmember, Security Researcher, IBM X-Force has revealed a zero-day flaw that impacts TP-Link Wi-Fi Extenders. In a blog post, the researcher described that the flaw impacts models RE350, RE365, RE500, RE650 running firmware version 1.0.2, build 20180213.

An extender is a device that is capable of capturing Wi-Fi signals from the main router to rebroadcast the same signal, to improve signal strength. These extenders are suitable for both commercial and domestic properties and used to area with weak Wi-Fi coverage and black spots.

This critical flaw can be exploited to launch Remote Code Execution. As the since many devices are connected to internet, the hackers get the possibility of vulnerabilities to remotely access and compromise systems.

He added that this bug can be used to access the extender remotely without any authentication, giving a chance for attackers to gain complete control over the device by hijacking its firmware. These extenders are based on MIPS arch, and hence the vulnerability can be launched by abusing a malformed user agent field in header files of HTTP to exploit devices and run shell commands.

The team reported to have succeeded gaining root level shell while trying to connect to a test RE365 device via TCP port 4444 and added that this can be achieved without any need for additional privilege escalation attack in this process since all the processes on any device run with root level access.