The authors developed a binary zero-day identification feature and tested it on firmware to identify vulnerabilities. They reported these vulnerabilities to vendors and plan to disclose most of them publicly.
By exposing a listener to particular ports that are susceptible to attacks as a result of the identified security flaws, the program known as Rftest is used for the purpose of conducting radio frequency testing.
A critical remote command execution (RCE) vulnerability (CVE-2024-5035) was identified in TP-Link Archer C5400X routers, which affects firmware versions <= 1_1.1.6 and allows unauthenticated attackers to remotely execute arbitrary commands on the device with elevated privileges.
The vulnerability resides in the rftest binary, launched during router initialization, and is exploitable due to command injection and buffer overflow weaknesses. TP-Link has addressed this issue in firmware version 1_1.1.7, released on May 10, 2024, while updating to the latest firmware is crucial to mitigate this high-severity (CVSS:4.0) vulnerability.
A critical vulnerability exists in TP-Link Archer C4500X routers due to a command injection flaw in the rftest binary, which, launched at startup, exposes a network service vulnerable to remote, unauthenticated attacks.
Successful exploitation allows attackers to execute arbitrary commands with elevated privileges on the device. The extent of exposure on production devices is unclear, but the vulnerability has been confirmed in emulated environments.
Static analysis identified a potential command injection vulnerability, while user-controlled data read from TCP port 8888 is used in two separate `popen` calls.
The first call is triggered by data containing “wl,” while the second targets data starting with “nvram” and containing “get, which suggests that the application might be vulnerable to attackers injecting arbitrary commands through the socket, potentially for malicious purposes.
A vulnerability in TP-Link routers allowed remote command injection through the rftest service, which normally accepts only commands starting with “wl” or “nvram get” and was vulnerable to injection after shell meta-characters like “;”.
According to OneKey, an attacker could exploit this by sending a crafted command containing both a legitimate command and a malicious one, separated by the meta-character.
TP-Link implemented a fix for the issue by removing any commands that contained these characters.
Also Read: