Подробности тут: https://twitter.com/mjg59/status/1111106885736787975
PoC: https://pastebin.com/GAzccR95
It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)
TP-Link routers frequently run a process called «tddp» (TP-Link Device Debug Protocol) as root. It's had multiple vulnerabilities in the past and the protocol is fairly well documented. Version 1 has no auth, version 2 requires the admin password.
The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation. You send it a filename, a semicolon and then an argument.
The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.
The os.execute() method allows you to execute whatever you want, and you're running as root, so victory. tddp is listening on all interfaces but the default firewall rules block WAN access, so this is local network only.
Anyway, stop shipping debug daemons on production firmware and if you're going to have a webform to submit security issues then have someone actually respond to it.